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Disclaimer 

The information contained in this document is 
subject to change without notice. 

HEWLETT-PACKARD COMPANY MAKES NO 
WARRANTY OF ANY KIND WITH REGARD TO 
THIS MATERIAL, INCLUDING BUT NOT LIMITED 
TO, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. 

Hewlett-Packard shall not be liable for errors 
contained herein or for incidental or consequential 
damages in connection with the furnishing, 
performance or use of this material. 

Hewlett-Packard assumes no responsibility for the 
use or reliability of its software on equipment that is 
not furnished by Hewlett-Packard. 

A copy of the specific warranty terms applicable to 
your HP product and replacement parts can be 
obtained from your HP Sales and Service Office or 
authorized dealer. 

Warranty 

See the Customer Support and Warranty booklet 
included with the product. 

A copy of the specific warranty terms applicable to 
your Hewlett-Packard products and replacement 
parts can be obtained from your HP Sales and 
Service Office or authorized dealer. 



Safety Considerations 

Prior to the installation and use of this product, 
review all safety markings and instructions. 




Instruction Manual Symbol. 



If the product is marked with the above symbol, refer 
to the product manual to protect the product from 
damage. 

WARNING Denotes a hazard that can cause injury. 

CAUTION Denotes a hazard that can damage 
equipment or data. 

Do not proceed beyond a WARNING or CAUTION 

notice until you have understood the hazard and 
have taken appropriate precautions. 

Use of control, adjustments or performance 
procedures other than those specified herein may 
result in hazardous radiation exposure. 

Grounding 

This product provides a protective earthing terminal. 
There must be an uninterrupted safety earth ground 
from the main power source to the product's input 
wiring terminals, power cord or supplied power cord 
set. Whenever it is likely that the protection has 
been impaired, disconnect the power cord until the 
ground has been restored. 

If your LAN covers an area served by more than one 
power distribution system, be sure their safety 
grounds are securely interconnected. 

LAN cables may occasionally be subject to 
hazardous transient voltages (such as lightning or 
disturbances in the electrical utilities power grid). 
Handle exposed metal components of the network 
with caution. 

For more safety information, see "Safety and EMC 
Regulatory Statements", beginning on page v. 

Servicing 

There are no user-serviceable parts inside the user- 
installable modules comprising the product. Any 
servicing, adjustment, maintenance or repair must 
be performed only by service-trained personnel. 



Organization of Product Documentation 



Read Me First 

The "Read Me First" document includes software release information, a brief "Getting Started" section, an 
accessory parts list, troubleshooting tips, operating notes, and other information that is not included elsewhere in 
the product documentation. 



NOTE: HP periodically updates Read Me First. The latest version is available at 
http://www.hp.com/go/hpprocurve. (Click on Technical Support, then Manuals.) 

Main Product Coverage 

The main product documentation for your switch or routing switch includes: 

• Book 1: Installation and Getting Started Guide. Book 1 (this manual) contains the product Safety and EMC 
Regulatory statements as well as installation, security, and basic configuration information. A printed copy of 
this guide is included with your HP product. An electronic copy is also included as a PDF (Portable Document 
Format) file on the CD shipped with your HP product. 

Book 2: Advanced Configuration and Management Guide. Book 2 contains advanced configuration 
information for routing protocols, Spanning Tree Protocol (STP), Quality of Service (QoS), and Virtual LANs 
(VLANs). In addition, appendixes in this guide contain reference information for network monitoring, policies 
and filters, and software and hardware specifications. This manual is included in a PDF (Portable Document 
Format) file on the CD shipped with your HP product. 

• Book 3: Command Line Interface Reference. Book 3 provides a dictionary of CLI commands and syntax. An 
electronic copy of this reference is included as a PDF (Portable Document Format) file on the CD shipped 
with your HP product. 

These documents also are available in PDF file format on HP's ProCurve website. 



NOTE: In Book 2, most of the chapters apply only to the HP 9304M, HP 9308M, and HP 6308M-SX routing 
switches (and not the HP 6208M-SX switch). However, the QoS, ACL, STP, and VLAN chapters, and appendixes 
A and B apply to the HP 6208M-SX switch as well as the routing switches. 

Product CD: A Tool for Finding Specific Information and/or Printing Selected Pages 

This CD is shipped with your HP product and provides the following: 

• A README.txt file (or README.pdf file) describing the CD contents and use, including easy instructions on 
how to search the book files for specific information 

A contents.pdf file to give you easy access to Book 1 , Book 2, and the CLI Reference on the CD 

• Separate PDF files of the individual chapters and appendixes in Book 1 and Book 2, enabling you to easily 
print individual chapters, appendixes, and selected pages 

• Single PDF files for each of the books, enabling you to use the Adobe® Acrobat® Reader to easily search for 
detailed information 

An Adobe Acrobat Reader (in case you don't already have a reader installed on your PC) 

• Additional files. These may include such items as a copy of the device software (OS), additional Readme 
files, and updates to network management software (HP TopTools for Hubs & Switches). 

Supplements and Release Notes 

These documents describe features that became available between revisions of the main product documentation. 
Depending on when new features are released, you may or may not receive any supplements or release notes 
with your HP product. New releases of such documents will be available on HP's ProCurve website. To register 
to receive email notice from HP when a new software release is available, go to 
http://www.hp.com/go/hpprocurve and click on Technical Support, then Software. 
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Safety Information 

Documentation reference symbol. If the product is marked 
with this symbol, refer to the product documentation to get 
more information about the product. 



A WARNING in the manual denotes a hazard that can 
cause injury or death. 

A CAUTION in the manual denotes a hazard that can 
damage equipment. 

Do not proceed beyond a WARNING or CAUTION notice 
until you have understood the hazardous conditions and 
have taken appropriate steps. 

Grounding 

These are safety class I products and have protective earthing terminals. There must be an uninterruptible safety 
earth ground from the main power source to the product's input wiring terminals, power cord, or supplied power 
cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground 
has been restored. 

For LAN cable grounding: 

• If your LAN covers an area served by more than one power distribution system, be sure their safety grounds 
are securely interconnected. 

• LAN cables may occasionally be subject to hazardous transient voltages (such as lightning or disturbances in 
the electrical utilities power grid). Handle exposed metal components of the network with caution. 

Servicing 

There are no user-serviceable parts inside these products. Any servicing, adjustment, maintenance, or repair 
must be performed only by service-trained personnel. 

These products do not have a power switch; they are powered on when the power cord is plugged in. 




WARNING 
CAUTION 



v 



Installation and Getting Started Guide 



Informations concernant la securite 

Symbole de reference a la documentation. Si le produit est 
marque de ce symbole, reportez-vous a la documentation du 
produit afin d'obtenir des informations plus detaillees. 



Dans la documentation, un WARNING indique un danger 
susceptible d'entrainer des dommages corporels ou la mort. 

Un texte de mise en garde intitule CAUTION indique un danger 
susceptible de causer des dommages a I'equipement. 

Ne continuez pas au-dela d'une rubrique WARNING ou 
CAUTION avant d'avoir bien compris les conditions presentant 
un danger et pris les mesures appropriees. 

Cet appareil est un produit de classe I et possede une borne de mise a la terre. La source d'alimentation 
principale doit etre munie d'une prise de terre de securite installee aux bornes du cablage d'entree, sur le cordon 
d'alimentation ou le cordon de raccordement fourni avec le produit. Lorsque cette protection semble avoir ete 
endommagee, debrancher le cordon d'alimentation jusqu'a ce que la mise a la terre ait ete reparee. 

Mise a la terre du cable de reseau local: 

• si votre reseau local s'etend sur une zone desservie par plus d'un systeme de distribution de puissance, 
assurez-vous que les prises de terre de securite soient convenablement interconnectees. 

• Les cables de reseaux locaux peuvent occasionnellement etre soumis a des surtensions transitoires 
dangereuses (telles que la foudre ou des perturbations dans le reseau d'alimentation public). Manipulez les 
composants metalliques du reseau avec precautions. 

Aucune piece contenue a I'interieur de ce produit ne peut etre reparee par I'utilisateur. Tout depannage, reglage, 
entretien ou reparation devra etre confie exclusivement a un personnel qualifie. 

Cet appareil ne comporte pas de commutateur principal ; la mise sous tension est effectuee par branchement du 
cordon d'alimentation. 



Symbol fur Dokumentationsverweis. Wenn das Produkt mit 
diesem Symbol markiert ist, schlagen Sie bitte in der 
Produktdokumentation nach, urn mehr Informationen uber 
das Produkt zu erhalten. 

Symbol fur Dokumentationsverweis. Wenn das Produkt mit 
diesem Symbol markiert ist, schlagen Sie bitte in der 
Produktdokumentation nach, urn mehr Informationen uber 
das Produkt zu erhalten. 

Symbol fur Dokumentationsverweis. Wenn das Produkt mit 
diesem Symbol markiert ist, schlagen Sie bitte in der 
Produktdokumentation nach, urn mehr Informationen uber 
das Produkt zu erhalten. 

Fahren Sie nach dem Hinweis WARNING oder CAUTION 
erst fort, nachdem Sie den Gefahrenzustand verstanden und 
die entsprechenden MaRnahmen ergriffen haben. 

Dies ist ein Gerat der Sicherheitsklasse I und verfugt uber einen schutzenden Erdungsterminal. Der Betrieb des 
Gerats erfordert eine ununterbrochene Sicherheitserdung von der Hauptstromquelle zu den 




WARNING 
CAUTION 



Hinweise zur Sicherheit 




WARNING 
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Gerateingabeterminals, den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus. Sobald Grund zur 
Annahme besteht, daB der Schutz beeintrachtigt worden ist, das Netzkabel aus der Wandsteckdose 
herausziehen, bis die Erdung wiederhergestellt ist. 

Fur LAN-Kabelerdung: 

• Wenn Ihr LAN ein Gebiet umfaBt, das von mehr als einem Stromverteilungssystem beliefert wird, mussen Sie 
sich vergewissern, daB die Sicherheitserdungen test untereinander verbunden sind. 

• LAN-Kabel konnen gelegentlich gefahrlichen Ubergangsspannungen ausgesetzt werden (beispielsweise 
durch Blitz oder Storungen in dem Starkstromnetz des Elektrizitatswerks), Bei der Handhabung exponierter 
Metallbestandteile des Netzwerkes Vorsicht walten lassen. 

Dieses Gerat enthalt innen keine durch den Benutzer zu wartenden Teile. Wartungs-, Anpassungs-, 
Instandhaltungs- oder Reparaturarbeiten dtirfen nurvon geschultem Bedienungspersonal durchgefuhrt werden. 

Dieses Gerat hat keinen Netzschalter; es wird beim AnschlieBen des Netzkabels eingeschaltet. 

Considerazioni sulla sicurezza 

Simbolo di riferimento alia documentazione. Se il prodotto e 
contrassegnato da questo simbolo, fare riferimento alia 
documentazione sul prodotto per ulteriori informazioni su di 
esso. 

La dicitura WARNINGdenota un pericolo che puo causare 
lesioni o morte. 

La dicituraCAUTION denota un pericolo che puo 
danneggiare le attrezzature. 

Non procedere oltre un avviso di WARNING o di 
CAUTIONprima di aver compreso le condizioni di rischio e 
aver provveduto alle misure del caso. 

Questo prodotto e omologato nella classe di sicurezza I ed ha un terminale protettivo di collegamento a terra. 
Dev'essere installato un collegamento a terra di sicurezza, non interrompibile che vada dalla fonte d'alimentazione 
principale ai terminali d'entrata, al cavo d'alimentazione oppure al set cavo d'alimentazione fornito con il prodotto. 
Ogniqualvolta vi sia probability di danneggiamento della protezione, disinserite il cavo d'alimentazione fino a 
quando il collegaento a terra non sia stato ripristinato. 

Per la messa a terra dei cavi LAN: 

• se la vostra LAN copre un'area servita da piu di un sistema di distribuzione elettrica, accertatevi che i 
collegamenti a terra di sicurezza siano ben collegati fra loro; 

• i cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate 
da lampi o disturbi nella griglia d'alimentazione della societa elettrica); siate cauti nel toccare parti esposte in 
metallo della rete. 

Nessun componente di questo prodotto puo essere riparato dall'utente. Qualsiasi lavoro di riparazione, messa a 
punto, manutenzione o assistenza va effettuato esclusivamente da personale specializzato. 

Questo apparato non possiede un commutatore principale; si mette scotto tensione all'inserirsi il cavo 
d'alimentazione. 
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Consideraciones sobre seguridad 

Sfmbolo de referencia a la documentacion. Si el producto va 
marcado con este sfmbolo, consultar la documentacion del 
producto a fin de obtener mayor informacion sobre el 
producto. 

Una WARNING en la documentacion senala un riesgo que 
podria resultar en lesiones o la muerte. 

Una CAUTION en la documentacion senala un riesgo que 
podria resultar en averias al equipo. 

No proseguir despues de un sfmbolo de WARNING o 
CAUTION hasta no haber entendido las condiciones 
peligrosas y haber tornado las medidas apropiadas. 

Este aparato se enmarca dentro de la clase I de seguridad y se encuentra protegido por una borna de puesta a 
tierra. Es preciso que exista una puesta a tierra continua desde la toma de alimentacion electrica hasta las bornas 
de los cables de entrada del aparato, el cable de alimentacion o el juego de cable de alimentacion suministrado. 
Si existe la probabilidad de que la proteccion a tierra haya sufrido desperfectos, desenchufar el cable de 
alimentacion hasta haberse subsanado el problema. 

Puesta a tierra del cable de la red local (LAN): 

• Si la LAN abarca un area cuyo suministro electrico proviene de mas de una red de distribucion de 
electricidad, cerciorarse de que las puestas a tierra esten conectadas entre si de modo seguro. 

Es posible que los cables de la LAN se vean sometidos de vez en cuando a voltajes momentaneos que 
entrahen peligro (rayos o alteraciones en la red de energfa electrica). Manejar con precaucion los 
componentes de metal de la LAN que esten al descubierto. 

Este aparato no contiene pieza alguna susceptible de reparacion por parte del usuario. Todas las reparaciones, 
ajustes o servicio de mantenimiento debe realizarlos solamente el tecnico. 

Este producto no tiene interruptor de potencia; se activa cuando se enchufa el cable de alimentacion. 
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Safety Information (Japan) 
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Safety Information (China) 
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Lasers 

The Gigabit-SX and Gigabit-LX Modules are Class 1 Laser Products. 
Laser Klasse 1 

The modules comply with IEC 825-2: 1993 
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EMC Regulatory Statements 
U.S.A. 

FCC Class A 

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 
15 of the FCC Rules. These limits are designed to provide reasonable protection against interference when the 
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio 
frequency energy and, if not installed and used in accordance with the instruction manual, may cause 
interference to radio communications. Operation of this equipment in a residential area may cause interference in 
which case the user will be required to correct the interference at his own expense. 

Canada 

This product complies with Class A Canadian EMC requirements. 

Australia/New Zealand 

^ n ' s P roc ' uct complies with Australia/New Zealand EMC Class A requirements. 

Japan 

VCCI Class A 
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Korea 



Taiwan 
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Chapter 1 
Getting Started 



Introduction 

This guide describes how to install, configure, and monitor the following devices: 

HP ProCurve Routing Switch 9308M 

HP ProCurve Routing Switch 9304M 

HP ProCurve Routing Switch 6308M-SX 

HP ProCurve Switch 6208M-SX 
This guide also describes how to monitor these products using statistics and summary screens. 

Audience 

This guide assumes that you have a working knowledge of Layer 2 and Layer 3 switching and routing. You also 
should be familiar with the following protocols if applicable to your network — IP, RIP, OSPF, BGP4, IGMP, PIM, 
DVMRP, IPX, AppleTalk, SRP, and VRRP 

Nomenclature 

This guide uses the following typographical conventions: 

Italic highlights the title of another publication and occasionally emphasizes a word or phrase. 

Bold highlights a CLI command. 

Bold Italic highlights a term that is being defined. 

Underline highlights a link on the Web management interface. 

Capitals highlights field names and buttons that appear in the Web management interface. 
NOTE: A note emphasizes an important fact or calls your attention to a dependency. 

WARNING: A warning calls your attention to a possible hazard that can cause injury or death. 

CAUTION: A caution calls your attention to a possible hazard that can damage equipment. 



1 - 1 



Installation and Getting Started Guide 



Terminology 

The following table defines basic product terms used in this guide. 



Product Terms 



Term 


Definition 


chassis 

or 

Chassis device 


A switch or routing switch that accepts optional modules or power supplies. 
The HP 9304M routing switch and HP 9308M routing switch are Chassis 
devices. 


Fixed-port device 


A device that contains a fixed configuration of ports, instead of swappable 
modules. The HP 6208M-SX switch and HP 6308M-SX routing switch are 
Fixed-port devices. 


routinci switch 

or 

router 


A Layer 2 and Layer 3 device that switches and routes network traffic. The 
term router is sometimes used in this document in descriptions of a routing 
switch's Layer 3 routing protocol features. 


switch 


A Layer 2 device that switches network traffic. 


HP9300 

or 


An example Command Line Interface (CLI) prompt. Actual prompts show 
the product number for the device, such as HP93 04. 


HP6208 




or 




HP6308 





Related Publications 

The following product documentation is available for your HP switch or routing switch: 

Read Me First for the HP ProCurve Routing Switches 9304M, 9308M, and 6308M-SX, and the HP ProCurve 
Switch 6208M-SX—Jh\s document includes software update information, the parts list for your HP ProCurve 
device, and other product information. Updates to this document are published on the World Wide Web from 
time to time, and may include additional troubleshooting, errata, and operating notes. To check for the latest 
version of Read Me First, go to www.hp.com/go/hpprocurve, select Technical Support, and then Manuals. 

Book 1: Installation and Getting Started Guide. Book 1 contains the product Safety and EMC Regulatory 
statements as well as installation, security, and basic configuration information. A printed copy of this guide is 
included with your HP product. An electronic copy is also included as a PDF (Portable Document Format) file 
on the CD shipped with your HP product. 

• Book 2: Advanced Configuration and Management Guide. Book 2 contains advanced configuration 
information for routing protocols, Spanning Tree Protocol (STP), Quality of Service (QoS), and Virtual LANs 
(VLANs). In addition, appendixes in this guide contain reference information for network monitoring, policies 
and filters, and software and hardware specifications. This manual is included in a PDF (Portable Document 
Format) file on the CD shipped with your HP product. 

• Book 3: HP ProCurve Command Line Interface Reference. The Command Line Interface Reference 
provides a dictionary of CLI commands and syntax. An electronic copy of this reference is included as a PDF 
(Portable Document Format) file on the CD shipped with your HP product. 

Documentation CD for the HP ProCurve Routing Switches 9304M, 9308M, 6308M-SX, and the HP 
ProCurve Switch 6208M-SX— This CD contains PDF files for Book 1 , Book 2, and Book 3, and provides a 
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method for electronically searching either individual chapters or an entire manual for specific topics. For a 
brief description of the CD contents and how to use the CD to save time, do the following: 

1 . Insert the CD in your PC's CD-ROM drive. 

2. Using the file manager in your PC, select the drive containing the CD and display the CD's directory. 

3. Use a compatible text editor to display the README.txt file in the CD's root directory. 

• Manual Supplement — These documents are included with your HP device if the software shipped with the 
device includes feature upgrades that were added after the last revision of the manual. They are also 
included with software upgrades when available on the World Wide Web. To check for the latest software 
version, go to www.hp.com/go/hpprocurve and click on Technical Support, then Software. 

• Su pport is as Close as the World Wide Web! — Included with your HP switch or routing switch, this 
document is a guide to HP support services and also provides information on your HP networking product 
warranty. 



What's New in this Edition? 

This edition and the October 2000 editions of the Advanced Configuration and Management Guide and Command 
Line Interface Reference contain descriptions of the new features listed below. (For features added in later, minor 
releases - after November, 2000 - see the latest release notes in the Technical Support I Manuals area at 
http://www.hp.com/go/hpprocurve.) 



Enhancements Added in Software Release 06.6.X 

The following enhancements are new in software release 06.6.Xand higher. All of these enhancements also are 
present in software release 07.1 .X. 

System-Level Enhancement 

• Secure management access based on VLAN ID 

Enhancements Added in Software Release 07.1 .X 

The following enhancements are new in software release 07.1.X. These enhancements are present only in 
software release 07.1. X. They are not supported in software release 06.6.X. 

Layer 3 Enhancements 

Support for up to 1 0,000 static ARP entries 
Aggregate default network routes 

Host-based IP load sharing for specific destination networks 

• ICMP Router Discovery Protocol (IRDP) enhancements 
Option to disable ICMP redirect 

RIP offset lists 

• More flexible IP multicast interface numbering 

Hardware forwarding for all fragments of IP multicast packets 

• Multicast Source Discovery Protocol (MSDP) 

• Dynamic OSPF memory 

• Support for up to 32 OSPF area ranges in each area 
Support for up to 25,000 External LSAs 

• OSPF group Link State Advertisement (LSA) pacing 

• External LSA reduction 
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• BGP4 re-advertises BGP routes even when OSPF or RIP routes to the same destination have a lower cost 

• Redistribution changes take place immediately 

Option to redistribute Internal BGP (IBGP) routes into RIP and OSPF 

• Dynamic BGP4 route refresh 

BGP4 route reflection updated to RFC 2796 

• Change to route map processing of ACL or other filtering deny statements 

Option to clear BGP4 neighbor sessions based on a specific Autonomous System (AS) number. 

• You can specify a route map name when configuring BGP4 network information 

• Enhancements to set metric command in route maps 
Enhancements to show ip bgp commands 
Enhancement to BGP4 Syslog message 

• Network Address Translation (NAT) 

• Virtual Router Redundancy Protocol Extended (VRRPE) 

• ICMP Router Discovery Protocol (IRDP) is disabled by default 
Policy-Based Routing (PBR) 

Support for standard static IP routes and interface or null static routes to the same destination 

• Dynamic memory for BGP4 

• BGP4 peer groups 

• New BGP4 show commands 

• Enhanced BGP4 show commands for neighbor information 
Layer 2 Enhancements 

Updated STP port Path Cost defaults 

• Compatibility with Cisco Systems' Per VLAN Spanning Tree (PVST) 
System-Level Enhancements 

• Enhanced software version information 

• New strict mode for ACL processing of UDP traffic 

• Fixed Rate Limiting 
Adaptive Rate Limiting 

Denial of Service (DoS) protection for TCP SYN and ICMP transit traffic 

• Authorization and Accounting support for RADIUS and TACACS+ 
TACACS+ password prompt support 

VLAN-based management access control 

RSA authentication for SSH 

SCP support for secure file transfers 

• Automatic load re-distribution following a healed trunk link 
Support for up to 4095 VLANs and up to 4095 virtual interfaces (VEs) 

• VLAN and virtual interface groups 

• Enhanced CLI for managing redundant management modules 
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• Super Aggregated VLANs 

• Support for simultaneous Telnet configuration by multiple users 

• New CLI command for displaying dynamic memory utilization 

• SNMP V2 view 

• Enhancement to show default values command 

• CLI enhancements to the startup-config and running-config files 
Page display is configurable for individual CLI management sessions 

• CLI enhancement to display the idle time for open CLI sessions 

• New CLI command for displaying TACACS+ or RADIUS information 

• Enhancement to the show web command 

• New option for setting the timeout for Telnet sessions 

• Enhancements to show interface command 

ACL configuration supported in the Web management interface 

Greeting banners are displayed at the beginning of a Web management session 

Increasing the Syslog buffer size does not clear entries 

The newline character does not appear in Syslog and SNMP trap messages 

• New MIB tables for Adaptive Rate Limiting 

• Support for Secure Shell (SSH) for remote access to the CLI 

• Support up to 12 trunk groups on 24-port 10/100 modules 
Strict ACL TCP mode 

• Support for per-port ACL assignment within a virtual interface's VLAN 

• New commands for copying files between a device's flash memory and a TFTP server 

• Change to the IP address used when you enable the routing switch to use a single IP address on the device 
as the source for all Telnet, RADIUS, or TACACSATACACS+ packets originated by the device 

Option to suppress Telnet connection rejection message 

• Configurable block size for TFTP file transfers 

Support and Warranty Information 

Refer to Support is as Close as the World Wide Web, which was shipped with your HP switch or routing switch. 



1 -5 



Installation and Getting Started Guide 



1 -6 



Chapter 2 
Installation 



This chapter outlines the physical installation and network connection for the HP 9304M, HP 9308M, and HP 
6308M-SX routing switches and the HP 6208M-SX switch. 

Unpacking a System 
Package Contents 

For a list of included parts, please refer to the Read Me First document shipped with your HP device. 

General Requirements 

To manage a switch or routing switch, you need the following items for serial connection to the device: 

• A management station, such as a PC running a terminal emulation application. 

• A straight-through EIA/TIA DB-9 serial cable (M/F), which is provided with your HP switch or routing switch. 

Use the serial connection to perform basic configuration tasks including assigning an IP address and network 
mask to the system. This information is required for managing the system using the Web management interface 
or using the CLI through Telnet. 





ACaution 


9304M Exceeds 40 lbs. (18.1 kg) 
9308M Exceeds 55 lbs. (24.9 kg) 
When handling, two or more 
people are required. 





WARNING: 

switch. 



Do not use the handles on the power supply units to lift or carry the HP 9304M or HP 9308M routing 
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Installation Procedures 
Summary 

Follow the steps listed below to install your routing switch. Details for each of the steps highlighted below are 
provided in the balance of this chapter. 

1 . Preparing the installation site (page 2-4). Ensure that the physical environment that will host the routing 
switch has the proper cabling and ventilation. 

2. Chassis devices only - Installing (or Removing) Optional Modules (page 2-4). There are many optional 
modules designed for any of the module slots on the HP 9304M or HP 9308M routing switches. Depending 
on where you will install the routing switch, it may be easier to install the modules first. However, the modules 
are "hot swappable", and can be installed or removed after the routing switch is mounted and powered-on. 



NOTE: If you are installing a second Redundant Management module, see "Using Redundant Management 
Modules" on page 5-1 for complete installation, configuration, and management instructions for this module. 



3. Chassis devices only - (Optional) Installing (or Removing) Redundant Power Supplies 

(page 2-6). The HP 9304M can hold one or two power supplies. The HP 9308M can hold up to four power 
supplies. If you have a power supply to install, it may be easier to install it before mounting the routing switch, 
although the power supplies are "hot swappable", and can be installed or removed after the routing switch is 
mounted and powered-on. 



CAUTION: Remove the power cord from a power supply before you install it in or remove it from the routing 
switch. Otherwise, damage to the power supply or the routing switch could result. (The routing switch can be 
running while a power supply is being installed or removed, but the power supply itself should not be 
connected to a power source.) 



4. Verifying Proper Operation (page 2-8). Verify that the system and module LEDs are registering the proper 
LED state after power-on of the system. 

5. Attaching a PC or Terminal (page 2-9). A terminal or PC serial port connection is all that is required to 
support configuration on the routing switch. 

6. Assign a Permanent Password (page 2-12). No default password is assigned to HP devices. For additional 
access security, assign a password. 

7. Assign Permanent IP Addresses (page 2-13). Before attaching equipment to the device, assign an 
interface IP address to the sub-net on which it will be located. Initial IP address assignment is done using the 
Command Line Interface (CLI) with either a direct serial connection or using Telnet with a direct terminal-to- 
device LAN connection. The subsequent IP address assignments used with routing switches can be done via 
Telnet or the Web management interface. 

8. Mounting the Device (page 2-15). HP switches and routing switches support both desktop and rack-mount 
installation. 

9. Connecting Power to the Device (page 2-17). Once the device is physically installed, plug the device into a 
nearby power source in keeping with regulatory requirements outlined in this manual. 

10. Connecting Network Devices (page 2-17). Once the device is powered on and IP addresses are assigned, 
the device is ready to accept network equipment. 



CAUTION: Use the CESD grounding tap (provided by HP) before connecting Category 5 or better UTP 
copper networking cables. 



11 . Verifying Proper Connections (page 2-20). Test IP connectivity to other devices by pinging them and 
tracing routes. 

12. Managing the device (page 2-21). Continue configuring the device using the CLI or the Web management 
interface. 
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13. Chassis devices only - Swapping Modules (page 2-25). If you are removing a module and placing a 
module of another type in its slot, you need to reconfigure the chassis slot for the module. 

Installation Precautions 

Follow these precautions when installing an HP switch or routing switch: 



WARNING: The HP 9304M chassis exceeds 40 lbs. (1 8 kg), or 47.7 lbs.(21 .6 kg) when fully populated with 
modules and power supplies. Also, the HP 9308M chassis exceeds 55 lbs. (24.9 kg) or 69.1 lbs. (31.3 kg) when 
fully populated with modules and power supplies. TWO OR MORE PEOPLE ARE REQUIRED WHEN LIFTING, 
HANDLING, OR MOUNTING THESE ROUTING SWITCHES. 



WARNING: Do not use the handles on the power supply units to lift or carry the routing switch. 



WARNING: The rack or cabinet housing the switch or routing switch should be adequately secured to prevent it 
from becoming unstable and/or falling over. 



WARNING: Devices installed in a rack or cabinet should be mounted as low as possible, with the heaviest 
device at the bottom and progressively lighter devices installed above. 



CAUTION: 

• Make sure that the power source circuits are properly grounded, then use the power cord supplied with the 
device to connect it to the power source. 

If the installation requires a different power cord than the one supplied with the device, be sure to use a power 
cord displaying the mark of the safety agency that defines the regulations for power cords in your country. 
The mark is your assurance that the power cord can be used safely with the device. 

Ensure that the device does not overload the power circuits, wiring, and over-current protection. To 
determine the possibility of overloading the supply circuits, add together the ampere ratings of all devices 
installed on the same circuit as the switch or routing switch. Compare this total with the rating limit for the 
circuit. The maximum ampere ratings are usually printed on the devices, near their AC power connectors. 

• Do not install the device in an environment where the operating ambient temperature might exceed 40 
degrees C (104 degrees F). 

• Make sure the air flow around the front, sides, and back of the device is not restricted. 

• To provide additional safety and proper airflow to the device, make sure that slot cover plates are installed on 
all chassis slots that do not have either a module or power supply installed. 

• Before connecting Category 5 or better UTP copper networking cables to a chassis module on the HP 9304M 
or HP 9308M, use the CESD grounding tap (shipped with the HP 9304M and HP 9308M and with chassis 
modules designed for UTP copper networking cables). See the Cable Grounding Instructions included with 
the CESD grounding tap. If you did not receive a CESD grounding tap kit (HP part number 5064-9974) with 
the above HP products, you can request one without charge from your HP Customer Care Center (CCC). To 
contact the CCC for your area, see the support and warranty booklet (Support is as Close as the World Wide 
Web!) shipped with your HP product. CCCs are also listed in the HP ProCurve Networking Service and 
Support Guide available at http://www.hp.com/go/hpprocurve. (Click on Technical Support, then 
Support Services.) 
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1. Preparing the Installation Site 
Cabling Infrastructure 

Ensure that the proper cabling is installed in the site. See "Hardware Overview" on page 8-1 for a summary of 
supported cabling types and their specifications. 

Installation Location 

Before installing the device, plan its location and orientation relative to other devices and equipment. Allow at 
least three inches (3") of space at the front of the device for the twisted-pair, fiber-optic and power cabling. Also, 
a minimum of three inches (3") of space should be allowed between the sides and the back of the device and 
walls or other obstructions. 

2. Installing (or Removing) Optional Modules (Chassis Devices only) 
Installing Modules 

To install a module in the chassis, do the following: 

1 . Put on an ESD wrist strap and attach the clip end to a metal surface (e.g. an equipment rack) to act as 
ground. 



WARNING: To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply. 



2. Remove the blank face plate from the slot in which the module is to be installed. Place the blank face plate in 
a safe place for future use. 

3. Remove the module from its packaging. 

4. Insert the module into the chassis slot and glide the card along the card guide until the card ejectors on the 
front of the module touch the chassis. 



CAUTION: To avoid hardware damage during installation, be careful to properly line up the edges of the 
module board with the guides built into the module slot on the chassis. 



NOTE: Modules for the HP 9308M slide in vertically with the module label (e.g. ProCurve 9300) and port 
number 1 at the top (Figure 2.3). Modules for the HP 9304M slide in horizontally with the module label (e.g. 
ProCurve 9300) and port number 1 on the left (Figure 2.4). 



5. Push the ejectors toward the center of the module until they are flush with the front panel of the module. The 
module will be fully seated in the backplane. 

6. Tighten the two screws at either end of the module. 



CAUTION: If one or more of the slots remains unused, make sure that a slot cover plate is still attached over 
each unused slot for safe operation and proper system cooling. 

Use the CESD grounding tap (provided by HP) before connecting Category 5 or better UTP copper 
networking cables. 



NOTE: If installing a module into a slot previously occupied by a different type of module, you must use the 
CLI to configure the new module (with the CLI command, module <slot-num> <module-type>) and then use 
the write memory command to save the configuration and the reload command to reset the routing switch. 
See "Swapping Modules (Chassis Devices only)" on page 2-25. If the slot has never contained a module or 
you are swapping in exactly the same type of module, you do not need to enter these commands. 
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Figure 2.1 Installing a Module 

Removing Modules 

To remove a module from the chassis, do the following: 

1 . Put on an ESD wrist strap and attach the clip end to a metal surface (e.g. an equipment rack) to act as 
ground. 

WARNING:To avoid risk of shock, do not attach the clip end to the air flow panel of the power supply. 

2. Loosen the two screws on the module. 

3. Pull the card ejectors towards you, and away from the module front panel. The card will unseat from the 
backplane. 

4. Pull the module out of the chassis and place in an anti-static bag for storage. 

5. Cover the slot with the blank face plate that shipped with the chassis. 

CAUTION: If you remove a module and do not replace it, cover the slot opening with one of the blank plates 
you received with the routing switch to provide additional safety and airflow for the system. 

NOTE: Modules can be installed and removed when the unit is powered on (hot swap). There is no need to 
power the system down. You do not need to change the slot's configuration unless you plan to insert a differ- 
ent type of module. See "Swapping Modules (Chassis Devices only)" on page 2-25. 
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3. Installing (or Removing) Redundant Power Supplies (Chassis 
Devices Only) 

Determining Power Supply Status 

If you are replacing a power supply that has failed and you are not sure which supply has failed, enter the 
following command at any CLI command prompt: 

show chassis 

This command displays status information for the fans and the power supplies. The power supplies are numbered 
in the display. The power supply numbers correspond to the following positions. These positions assume you are 
facing the front of the Chassis device, not the rear. 



Table 2.1 : Power Supply Positions in Chassis Devices 



Product 


Power Supply 1 


Power Supply 2 


Power Supply 3 


Power Supply 4 




Position 


Position 


Position 


Position 


HP 9304M 


left side 


right side 


n/a 


n/a 


HP 9308M 


bottom 


second from 


second from top 


top 






bottom 







Installing Power Supplies 

To install a power supply in the chassis, do the following: 



CAUTION: Power supplies are hot swappable but they should be disconnected from AC power before being 
installed or removed. That is, the routing switch can be running while a power supply is being installed or 
removed, but the power supply itself should not be connected to a power source. Otherwise, damage to the 
power supply or the routing switch could result. 



1 . Use a screwdriver to remove the blank power supply face plate. This will expose the empty power supply 
slot. 

2. Remove the power supply from its packaging. 

3. Holding the bar on the front panel of the power supply, insert the power supply into the empty power supply 
slot using the module guides provided on either side of the compartment. 



CAUTION: Carefully follow the mechanical guides on each side of the power supply slot and make sure the 
power supply is properly inserted in the guides. Never insert the power supply upside down. 



4. Continue to slide the power supply towards the back of the chassis until the two metal rods and the connector 
make contact with the back connector. Then push the power supply until the front panel of the power supply 
is flush with the rest of the chassis. 

5. Use a screwdriver to tighten the two screws on either side of the power supply. 

6. Connect the power cord to the front of the power supply. 

7. Connect the power plug into an outlet. 
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Figure 2.2 Installing a Power Supply 

Removing Power Supplies 

To remove a power supply module from the chassis, do the following: 

CAUTION: Power supplies are hot swappable but they should be disconnected from AC power before being 
installed or removed. That is, the routing switch can be running while a power supply is being installed or 
removed, but the power supply itself should not be connected to a power source. Otherwise, damage to the 
power supply or the routing switch could result. 

1 . Unplug the power supply AC power cord from the outlet. 

2. Disconnect the power cord from the power supply. 

3. Use a screwdriver to loosen the screws on either side of the power supply. 

4. Holding the bar on the front panel of the power supply, pull outward, disconnecting the power supply from the 
backplane. 

5. Continue to pull the power supply until it is removed from the chassis. 

6. Place the power supply in an anti-static bag for storage. 

7. Cover the power supply slot with the blank power supply cover that came with the device. 

8. Use a screwdriver to tighten the screws. 
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Figure 2.3 Example of the front panel of an HP 9308M routing switch 
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Figure 2.4 Example of the front panel of an HP 9304M routing switch 

4. Verifying Proper Operation 

After you have installed any modules or redundant power supplies, but before mounting the routing switch in its 
network location, you should first verify that it is working properly by plugging it into a power source and verifying 
that it passes its self test. 
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NOTE: Chassis devices only - If your device has more than one power supply installed, repeat this procedure for 
each power supply. 



1 . Connect the power cord supplied with the device to the power connector found on the power supply on the 
front of the device. 

2. Insert the other end into a properly grounded electrical outlet. 



NOTE: The devices do not have power switches. They are powered on when the power cord is connected to the 
device and to a power source. 

If your installation requires a different power cord than that supplied with the device, be sure to obtain a power 
cord displaying the mark of the safety agency that defines the regulations for power cords in your country. The 
mark is your assurance that the power cord can be used safely with the device. 



3. Verify proper operation by observing the LEDs: 

• Chassis devices - Make sure the LED on each power supply is a solid green. Also make sure that some 
of the port LEDs on each module momentarily light up. The LEDs indicate that the device is performing 
diagnostics. After the diagnostics are complete, the LEDs will be dark except for the ones that are 
attached by cables to other devices. If the links on these cables are good and the connected device is 
powered on, the link LEDs will light. 



NOTE: If all of the LEDs on a module do not light up during the diagnostics, this does not indicate an error. 
Only some of the LEDs are lighted during the diagnostics. 



• Fixed-port devices - All the port LEDs should flash momentarily, usually in sequence, while the device 
performs diagnostics. After the diagnostics are complete, the LEDs will be dark except for the ones that 
are attached by cables to other devices. If the links on these cables are good and the connected device 
is powered on, the link LEDs will light. 

For more details on specific LED conditions after system start-up, see "LEDs" on page 8-9. 

5. Attaching a PC or Terminal 

To assign an IP address, you must have access to the Command Line Interface (CLI). The CLI is a text-based 
interface that can be accessed through a direct serial connection to the device and through Telnet connections. 
The CLI is described in detail in the Command Line Interface Reference. 

You need to assign a permanent IP address using the CLI. You can access the CLI by attaching a serial cable to 
the Console port. After you assign an IP address, you can access the system through Telnet or the Web 
management interface. 

Attaching a PC or Terminal Using a Serial Port 

To attach a management station using the serial port: 

1 . Connect a PC or terminal to the serial port of the system via the (serial) console cable. The serial port is a 
male DB-9 connector. Generally, a PC port will require a cable with a female DB-9 connector. Terminal 
connections will vary, requiring either a DB-9 or DB-25 connector, male or female. 

A console cable is provided with your switch or routing switch. Cable pin-outs and signalling for the serial 
cable are shown in Figure 2.5 and Figure 2.6. 

2. If you are using a PC for a terminal, run a terminal emulation program on the PC. 

3. Set the terminal or PC terminal emulation program to the parameters shown below: 

Baud: 9600 bps 
Data bits: 8 
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• Parity: None 
Stop bits: 1 

• Flow control: None 

Attaching a PC or Terminal Using a Direct LAN Connection 

To attach a management station using a direct LAN connection: 



NOTE: Use this procedure if you are unable to make the serial connection described above. 



Important! Cable Grounding Instructions 

HP provides a cable-grounding kit for use with HP 9304M/HP 9308M chassis modules designed for UTP copper 
networking cable connections. Use this grounding kit to help prevent ESD damage to your routing switch 
components when connecting cables to the modules. 



CAUTION: Before connecting Category 5 or better UTP copper networking cables to a chassis module on the HP 
9304M or HP 9308M, use the CESD grounding tap (shipped with the HP 9304M and HP 9308M and with chassis 
modules designed for UTP copper networking cables). See the Cable Grounding Instructions included with the 
CESD grounding tap. If you did not receive a CESD grounding tap kit (HP part number 5064-9974) with the above 
HP products, you can request one without charge from your HP Customer Care Center (CCC). To contact the 
CCC for your area, see the support and warranty booklet (Support is as Close as the World Wide Web!) shipped 
with your HP product. CCCs are also listed in the HP ProCurve Networking Service and Support Guide available 
at http://www.hp.com/go/hpprocurve. (Click on Technical Support, then Support Services.) 



1 . Directly connect the LAN port on a Telnet-capable terminal device such as a laptop or desktop PC to one of 
the following: 

In a Chassis device, port 1 in slot 1 

In a Fixed-port device, port 1 

2. Configure the terminal device with an IP address and subnet mask that assigns the terminal to the same 
subnet as the switch or routing switch's IP address for port 1 , slot 1 (Chassis device) or port 1 (Fixed-port 
devices). 

3. From the DOS prompt, enter telnet <ip-addr> to access the switch or routing switch CLI, where <ip-addr> is 
the IP address for the switch or routing switch port. 

When you establish the serial connection to the device, press Enter to display the CLI prompt for your switch or 
routing switch. For example: 

HP9304> 
HP9308> 
HP6308> 
HP6208> 



NOTE: For simplicity, CLI examples for the routing switches generally show the command prompt "HP9300". This 
command prompt represents either the HP 9304M or HP 9308M unless otherwise noted. Command prompts that 
are specific to the HP 6208M-SX or HP 6308M-SX show "HP6208" or "HP6308". 

The CLI examples for Layer 3 features that use the same syntax on Chassis devices and Fixed-port devices 
generally use "HP9300" in the command prompt. The CLI examples for features that apply exclusively to the HP 
6208M-SX use "HP6208". 



If you see one of these prompts, you are now connected to the system and can proceed to "Assigning a 
Permanent Password" on page 2-12. 
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You can customize the prompt by changing the system name. See "Entering System Administration Information" 
on page 9-3. 

If you do not see one of these prompts: 

1 . Make sure the cable is securely connected to your PC and to the HP device. 

2. Check the settings in your terminal emulation program. In addition to the session settings listed above, make 
sure the terminal emulation session is running on the same serial port you attached to the HP device. 

The EIA/TIA 232 serial communication port serves as a connection point for management by a PC or SNMP 
workstation. HP switches and routing switches come with a standard male DB-9 connector, shown in 
Figure 2.5. 



Pin Assignment 



Pin Number Switch Signal 




DB-9 male 



o o o o o 
o o o o 




1 


Reserved 


2 


TXD (output) 


3 


RXD (input) 


4 


Reserved 


5 


GND 


6 


Reserved 


7 


CTS (input) 


8 


RTS (output) 


9 


Reserved 



Figure 2.5 Serial port pin and signalling details 

Most PC serial ports also require a cable with a female DB-9 connector. Terminal connections will vary, requiring 
either a DB-9 or DB-25 connector, male or female. Serial cable options between an HP switch or routing switch 
and a PC terminal are shown in Figure 2.6. 

NOTE: As indicated in Figure 2.5 and Figure 2.6, some of the wires should not be connected. If you do connect 
the wires that are labeled "Reserved", you might get unexpected results with some terminals. 



DB-9 to DB-9 
Female Switch 



Terminal or PC 



DB-9 to DB-25 
Female Switch 



Terminal or PC 



1 Reserved 
2 

3 < 

4 Reserved 

5 

6 Reserved 

7 < 
8 

9 Reserved 



1 


1 


► 2 


2 


- 3 


3 


4 


4 


- 5 


5 


6 


6 


- 7 


7 


► 8 


8 


9 


9 



Reserved 



Reserved 



Reserved 



Reserved 



8 

► 3 

- 2 
20 

- 7 
6 

- 4 

► 5 

22 



Figure 2.6 Serial port signal directions 



2 - 11 



Installation and Getting Started Guide 



6. Assigning a Permanent Password 

CLI access does not require a password by default. If you want to configure a password, you must use the CLI. A 
password cannot be assigned through the Web management interface. 

The CLI contains the following access levels: 

• User EXEC level - The level you enter when you first start a CLI session. At this level, you can view some 
system information but you cannot configure system or port parameters. 

• Privileged EXEC level- This level is also called the Enable level and can be secured by a password. You 
can perform tasks such as manage files on the flash module, save the system configuration to flash, and 
clear caches at this level. 

• CONFIG level- The configuration level. This level lets you configure the system's IP address and configure 
switching and routing features. To access the CONFIG mode, you must already be logged into the Privileged 
level of the EXEC mode. 

By default, there are no CLI passwords. To secure CLI access, you must assign passwords. 

NOTE: You must use the CLI to assign a password. You cannot assign a password using the Web management 
interface or an SNMP network management application. 

You can set the following levels of Enable passwords: 

• Super User - Allows complete read-and-write access to the system. This is generally for system 
administrators and is the only password level that allows you to configure passwords. You must set a super 
user password before you can set other types of passwords. 

• Port Configuration - Allows read-and-write access for specific ports but not for global (system-wide) 
parameters. 

• Read Only - Allows access to the Privileged EXEC mode and CONFIG mode but only with read access. 

How To Assign a Password 

When you first connect to the CLI, you are at the User EXEC level of the CLI. This is the first level of the CLI. The 
next level is the Privileged EXEC level. You need to get to the global CONFIG level of the CONFIG command 
structure to assign a permanent password. 

To reach the global CONFIG level and assign passwords, use the following steps: 

1 . At the opening prompt, enter the following command to go from the User EXEC level to the Privileged EXEC 
level: 

HP9300> enable 

2. Access the configuration level of the CLI by entering the following command: 
HP9300# configure terminal Privileged EXEC Level 
HP9300 (conf ig) # Global CONFIG Level 

3. To set the super-user password: 

HP9300 (conf ig) # enable super-user-password <string> 

NOTE: You must set a super-user password before you can set other types of passwords. 

4. To set the port-configuration and read-only passwords: 

HP9300 (conf ig) # enable read-only-password <string> 
HP9300 (conf ig) # enable port-conf ig-password <string> 



2 - 12 



Installation 



How to Recover From a Lost Password 

Recovery from a lost password requires direct access to the serial port and a system reset of the device. 



NOTE: You can perform this procedure only from the CLI. 



To recover from a lost password: 

1 . Start a CLI session over the serial interface to the device. 

2. Reboot the device. 

3. While the system is booting, before the initial system prompt appears, enter b to enter the boot monitor mode. 

4. Enter no password at the prompt. This command cannot be abbreviated. This command will cause the 
device to bypass the system password check. 

5. Enter boot system flash primary. 

6. After the console prompt reappears, assign a new password. 

7. Assign a Permanent IP Address 

Before you can manage the switch or routing switch over your network, you must assign at least one IP address to 
the device. (For more information on IP addressing, see the "Configuring IP and IP/RIP" chapter in the Advanced 
Configuration and Management Guide included on the CD-ROM shipped with your device.) 

Routing Switches 

Before attaching an HP routing switch to your network, you must assign an interface IP address to the sub-net on 
which the routing switch will be located. For subsequent addresses, you also can use the CLI through Telnet or 
use the Web management interface. 

Using a serial connection is the recommended method for assigning the first IP address on a routing switch. (You 
also can use Telnet with a direct, terminal-to-device LAN connection if necessary — see "Attaching a PC or 
Terminal Using a Direct LAN Connection" on page 2-10.) 

On the HP 9304M or HP 9308M, you can configure up to 24 IP interfaces on each port, virtual interface, and 
loopback interface. On the HP 6308M-SX routing switch, you can increase this amount to up to 64 IP sub-net 
addresses per port by increasing the size of the subnet-per-interface table. See "Displaying and Modifying 
System Parameter Default Settings" on page 9-58. 

The following procedure shows how to add an IP address and mask to a routing switch port. 

1 . At the opening CLI prompt, enter enable. 

HP9300> enable 

2. If you are prompted for the password you created in "Assigning a Permanent Password" on page 2-12, enter 
the password. 

3. Enter the following command at the Privileged EXEC level prompt (for example, HP9300#), then press Enter. 
This command erases the factory test configuration if still present: 

HP9300# erase startup-conf ig 



WARNING: Use this step only for new systems. If you enter this command on a system you have already 
configured, the command erases the configuration. If you accidentally do erase the configuration on a configured 
system, enter the write memory command to save the running configuration to the startup-config file. 



4. Access the configuration level of the CLI by entering the following command: 
HP9300# configure terminal Privileged EXEC Level 

HP9300 (conf ig) # Global CONFIG Level 
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5. Set the IP and mask addresses. 

HP9300 (conf ig) # int e 1/5 

HP9300 (conf ig-if -1/5) # ip address 192.22.3.44 255.255.255.0 

NOTE: You can use the syntax, ip address <ip-addr> /<mask-bits> if you know the sub-net mask length. In 
the above example, you could enter ip address 192.22.3.44/24. 

Syntax: enable [<password>] 
Syntax: configure terminal 

Syntax: [no] ip address <ip-addr> <ip-mask> [secondary] 
or 

Syntax: [no] ip address <ip-addr>/<mask-bits> [secondary] 

Use the secondary parameter if you have already configured an IP address within the same sub-net on the 
interface. 

Switches 

Using a serial connection is the recommended method for assigning the IP address on a switch. (You also can 
use Telnet with a direct, terminal-to-device LAN connection if necessary — see "Attaching a PC or Terminal Using a 
Direct LAN Connection" on page 2-10.) 

To assign an IP Address to the HP 6208M-SX switch: 

1 . At the opening CLI prompt, enter enable. 

HP6208> enable 

2. If you are prompted for the password you created in "Assigning a Permanent Password" on page 2-12, enter 
the password. 

3. Enter the following command at the Privileged EXEC level prompt (for example, HP6208#), then press Enter. 
This command erases the factory test configuration if still present: 

HP6208# erase startup-conf ig 

WARNING: Use this step only for new systems. If you enter this command on a system you have already 
configured, the command erases the configuration. If you accidentally do erase the configuration on a configured 
system, enter the write memory command to save the running configuration to the startup-config file. 

4. Access the configuration level of the CLI by entering the following command: 
HP6208# configure terminal Privileged EXEC Level 
HP6208 (conf ig) # Global CONFIG Level 

5. Set the IP and mask addresses for the switch. 

HP6208 (conf ig) # ip address 192.22.3.44 255.255.255.0 

6. Set a default gateway address for the switch. 

HP6208 (conf ig) # ip default-gateway 192.22.3.1 

NOTE: You do not need to assign a default gateway address for single sub-net networks. 

Syntax: enable [<password>] 

Syntax: configure terminal 

Syntax: [no] ip address <ip-addr> <ip-mask> 
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or 

Syntax: [no] ip address <ip-addr>/<mask-bits> 
Syntax: ip default-gateway <ip-addr> 

8. Mounting the Device 

The HP switch and routing switches can be installed on a desktop or in a rack. 



WARNING: The HP 9304M chassis exceeds 40 lbs. (1 8 kg), or 47.7 lbs.(21 .6 kg) when fully populated with 
modules and power supplies. Also, the HP 9308M chassis exceeds 55 lbs. (24.9 kg) or 69.1 lbs. (31.3 kg) when 
fully populated with modules and power supplies. TWO OR MORE PEOPLE ARE REQUIRED WHEN LIFTING, 
HANDLING, OR MOUNTING THESE ROUTING SWITCHES. 



WARNING: Do not use the handles on the power supply units to lift or carry a routing switch. 



WARNING: Make sure the rack or cabinet housing the routing switch is adequately secured to prevent it from 
becoming unstable and/or falling over. 



WARNING: Mount the devices you install in a rack or cabinet as low as possible, with the heaviest device at the 
bottom and progressively lighter devices installed above. HP recommends that the HP 9304M or HP 9308M be 
installed at the bottom of the rack or installed with a shelf and mounting brackets. 



Desktop Installation 

1 . Set the device on a flat desktop, table, or shelf. Use a sturdy surface in an uncluttered area. You may want 
to secure the networking cables and power cord to the table legs or other part of the surface structure to help 
prevent people from tripping over them. 

2. Make sure that adequate ventilation is provided for the system — a minimum of three inches (3") clearance is 
recommended on all sides. 



NOTE: Make sure the air flow is unrestricted around the front, sides, and back of the switch or routing switch. 
3. Proceed to "Connecting Power to the Device" on page 2-17. 

Rack Mount Installation - Chassis Devices 

NOTE: You need a #2 Phillips-head screwdriver for installation. 

1 . Remove the rack mount kit from the shipping carton. There will be two L-shaped mounting brackets and 
mounting screws. 

2. Attach the mounting brackets to the sides of the routing switch as illustrated in Figure 2.7. 

3. Attach the system in the rack as illustrated in Figure 2.7. 

4. Proceed to "Connecting Power to the Device" on page 2-17. 
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Figure 2.7 Installing an HP 9304M routing switch in a rack mount 

Rack Mount Installation - HP 6208M-SX or HP 6308M-SX 

NOTE: You need a #2 Phillips-head screwdriver for installation. 

1 . Remove the rack mount kit from the shipping carton. The kit contains two L-shaped mounting brackets and 
mounting screws. 

2. Attach the mounting brackets to the sides of the device as illustrated in Step 2 of Figure 2.8. 

3. Attach the device in the rack as illustrated in Step 3 of Figure 2.8. 

4. Proceed to "Connecting Power to the Device" below. 




Figure 2.8 Installing an HP 6208M-SX or HP 6308M-SX in a rack mount 
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9. Connecting Power to the Device 

With physical installation of the switch or routing switch complete, it is now time to power up the system and 
connect the network devices. 



CAUTION:There is no separate on/off power switch for the device. The device is powered on when the power 
cord is connected to a power supply and to a power source. To turn the system off, simply unplug the power 
cord(s). 



CAUTION:The power sockets should be installed near the device and should be easily accessible. 



CAUTION: If your installation requires a different power cord than the one supplied with the device, be sure to use 
a power cord displaying the mark of the safety agency that defines the regulations for power cords in your country. 
The mark is your assurance that the power cord can be used safely with the system. 



NOTE: When you power on a Chassis device that requires multiple power supplies, make sure you apply power 
to all the supplies (or at least the minimum number of supplies required for your configuration) at the same time. 
Otherwise, the device either will not boot at all, or will boot and then repeatedly display a warning message stating 
that you need to add more power supplies. 



1 . For a Chassis device, ensure that all modules and power supplies are properly inserted, and that no module 
slots or power supply slots are uncovered. 



WARNING: Electrical shock hazard. Never allow any part of your body to be inside the chassis when the device 
is connected to a power source or to the network. 



2. Remove the power cord from the shipping package. 

3. Attach the AC power cord to the AC connector on the front panel of Chassis device or the rear panel of Fixed- 
port devices. If more than one power supply is installed, attach a power cord for each power supply. 

4. Insert the power cord plug(s) into the appropriate outlet(s). 

10. Connecting Network Devices 

HP switches and routing switches can support connections to other vendors' routers, switches, and hubs as well 
as to other HP switches, routing switches, and hubs. 

Important! Cable Grounding Instructions 

HP provides a cable-grounding kit for use with HP 9304M/HP 9308M chassis modules designed for UTP copper 
networking cable connections. Use this grounding kit to help prevent ESD damage to your routing switch 
components when connecting cables to the modules. 



CAUTION: Before connecting Category 5 or better UTP copper networking cables to a chassis module on the HP 
9304M or HP 9308M, use the CESD grounding tap (shipped with the HP 9304M and HP 9308M and with chassis 
modules designed for UTP copper networking cables). See the Cable Grounding Instructions included with the 
CESD grounding tap. If you did not receive a CESD grounding tap kit (HP part number 5064-9974) with the above 
HP products, you can request one without charge from your HP Customer Care Center (CCC). To contact the 
CCC for your area, see the support and warranty booklet (Support is as Close as the World Wide Web!) shipped 
with your HP product. CCCs are also listed in the HP ProCurve Networking Service and Support Guide available 
at http://www.hp.com/go/hpprocurve. (Click on Technical Support, then Support Services.) 
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Connectors 

10/100BaseTX ports come with RJ45 jacks for standard unshielded twisted pair (UTP/Category 5) cable 
connections. 

100BaseFX ports come equipped with MT-RJ connectors. 
1000BaseSX ports come equipped with SC connectors. 
"lOOOBaseLX ports come equipped with SC connectors. 
1000BaseT ports come equipped with RJ-45 connectors. 



Pin Assignment 



10BaseT 

Pin Number MDI-X ports 



1 0OBaseTX and 1 0OOBaseT 
Pin Number MDI-X ports 



RD+ 
RD- 
TD 

Not used 
Not used 
TD- 

Not used 
Not used 



1 

2 
3 
4 
5 
6 
7 
8 



RD+ 

RD- 

TD 

CMT 

CMT 

TD- 

CMT 

CMT 



Figure 2.9 Pin assignment and signalling for 10/100BaseTX and 1000BaseT ports 

Cable Length 

• 1000BaseT: Cable length should not exceed 100 meters. 

• 100BaseTX: Cable length should not exceed 100 meters. 

• 100BaseFX: Cable length should not exceed 2 kilometers. 

• 1000BaseSX: Cable length should not exceed 550 meters when operating with multi-mode cabling. 
1000BaseLX: 

• Cable length of 2 - 440 meters is supported on 62.5 urn multi-mode fiber (MMF) cabling. 

• Cable length of 2 - 550 meters is supported on 50 multi-mode fiber (MMF) cabling. 

• Cable length of 2 - 5000 meters is supported on 9 |^m single-mode fiber (SMF) cabling. 
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Table 2.1 Fiber cable length summary table 





Fiber Type 


Core Diameter 
(microns) 


Modal Bandwidth 
(MHz*km) 


Minimum Range 
(meters) 


1000Base-SX 


MMF 


62.5 


160 


2 - 200 a 


MMF 


62.5 


200 


2 - 275 b 


MMF 


50 


400 


2-500 


MMF 


50 


500 


2 - 550 c 


1000Base-LX 


MMF 


62.5 


500 


2-550 


MMF 


50 


400 


2-550 


MMF 


50 


500 


2-550 


SMF 


9 


n/a 


2 - 5000 



a. The TIA 568 building wiring standard specifies 160/500 MHz*km MMF (Multimode Fiber). 

b. The international ISO/IEC 11801 building wiring standard specifies 200/500 MHz*km MMF. 

c. The ANSI Fibre Channel specification specifies 500/500 MHz*km 50 micron MMF and 500/500 MHz*km 
fiber has been proposed for addition to ISO/IEC 1 1801. 



NOTE: Cable installation and network configuration will affect overall transmission capability. The numbers pro- 
vided above represent the accepted recommendations of the various standards. For network-specific recommen- 
dations, consult your local HP reseller or system engineer. 



Connecting to Other Switches, Routing Switches, and Ethernet Hubs 

For connections to Ethernet hubs, a 10/100BaseTX or 1000BaseT switch, or another HP switch or routing switch, 
a crossover cable is required (Figure 2.10 or Figure 2.10). If the hub is equipped with an uplink port, it will require 
a straight-through cable instead of a crossover cable. 



UTP Crossover Cable 
10/100BaseTX 




unused 7 7 unused 

unused 8 8 unused 



Figure 2.10 UTP crossover cable for 10/100BaseTX 
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Figure 2.11 UTP crossover cable for 1000BaseT 



NOTE: The 802. 3ab standard calls for automatic negotiation of the connection between two 1000BaseT ports. 
Consequently, a crossover cable may not be required; a straight-through cable may work as well. 



Connecting to Workstations, Servers or Routers 

Straight-through UTP cabling is required for direct UTP attachment to workstations, servers, or routers via network 
interface cards (NICs). 

Fiber cabling with SC connectors is required for direct attachment to Gigabit NICs or switches and routers. 

Troubleshooting Network Connections 

• For the indicated port, verify that both ends of the cabling, at the switch or routing switch and the connected 
device, are snug. 

• Verify the connected device and the switch or routing switch are both powered on and operating correctly. 

• Verify that you have used the correct cable type for the connection: 

• For twisted-pair connections to an end node, use straight-through cabling. 

• For fiber-optic connections, verify that the transmit port on the switch or routing switch is connected to the 
receive port on the connected device, and that the receive port on routing switch is connected to the 
transmit port on the connected device. 

• Verify that the port has not been disabled through a configuration change. You can use the CLI or if you have 
configured an IP address on the routing switch, you can use the Web management interface. 

• If the other procedures don't resolve the problem, try using a different port or a different cable. 

11. Verifying Proper Connections 

After you install the network cables, you can test network connectivity to other devices by pinging those devices. 
You also can perform trace routes. 

Pinging an IP Address 

To verify that an HP device can reach another device through the network, enter a command such as the 
following at any level of the CLI on the HP device: 

HP9300> ping 192.33.4.7 
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Syntax: ping <ip addr> I <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size 
<byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief] 

See the Command Line Interface Reference for information about its parameters. 



NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping. 



Tracing a Route 

To determine the path through which an HP device can reach another device, enter a command such as the 
following at any level of the CLI on the HP device: 

HP9300> traceroute 192.33.4.7 

Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] 
[source-ip <ip addr>] 

The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests 
display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the HP 
device displays up to three responses by default. See the Command Line Interface Reference for information 
about the command syntax. 

12. Managing the Device 

You can manage an HP device using the following applications: 

Command Line Interface (CLI) - a text-based interface accessible through a direct serial connection or a 
Telnet session. 

• Web management interface - A GUI-based management interface accessible through an HTTP (web 
browser) connection. 

• SNMP network management application - An application such as HP TopTools for Switches & Hubs or HP 
Open View. 

Logging on Through the CLI 

Once an IP address is assigned to the HP switch or to an interface on the HP routing switch, you can access the 
CLI either through the direct serial connection to the device or through a local or remote Telnet session. 

You can initiate a local Telnet or SNMP connection by attaching a straight-through RJ-45 cable to a port and 
specifying the assigned management station IP address. 

The commands in the CLI are organized into the following levels: 

User EXEC level - Lets you display information and perform basic tasks such as pings and traceroutes. 

• Privileged EXEC level - Lets you use the same commands as those at the User EXEC level plus 
configuration commands that do not require saving the changes to the system-config file. 

• CONFIG level - Lets you make configuration changes to the device. To save the changes across reboots, 
you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, 
for VLANs, for routing protocols, and other configuration areas. 



NOTE: By default, any user who can open a serial or Telnet connection to the HP device can access all these CLI 
levels. To secure access, you can configure Enable passwords or local user accounts, and you can configure the 
device to use a RADIUS or TACACS/TACACS+ server for authentication. See "Securing Access Methods" on 
page 3-2. 



On-Line Help 

To display a list of available commands or command options, enter "?" or press Tab. If you have not entered part 
of a command at the command prompt, all the commands supported at the current CLI level are listed. If you 
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enter part of a command, then enter "?" or press Tab, the CLI lists the options you can enter at this point in the 
command string. 

If you enter an invalid command followed by ?, a message appears indicating the command was unrecognized. 
For example: 

HP9300 (conf ig) # rooter ip 
Unrecognized command 

Command Completion 

The CLI supports command completion, so you do not need to enter the entire name of a command or option. As 
long as you enter enough characters of the command or option name to avoid ambiguity with other commands or 
options, the CLI understands what you are typing. 

Scroll Control 

By default, the CLI uses a page mode to paginate displays that are longer than the number of rows in your 
terminal emulation window. For example, if you display a list of all the commands at the global CONFIG level but 
your terminal emulation window does not have enough rows to display them all at once, the page mode stops the 
display and lists your choices for continuing the display. 

Here is an example: 

aaa 

all-client 

appletalk 

arp 

boot 

some lines omitted for brevity... 

ipx 

lock-address 

logging 

mac 

--More--, next page: Space, next line: Return key, quit: Control-c 
The software provides the following scrolling options: 

Press the Space bar to display the next page (one screen at time). 
• Press the Return or Enter key to display the next line (one line at a time). 

Press CTRL + C to cancel the display. 
Line Editing Commands 

The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key 
combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the 
command. 



Table 2.2: CLI Line Editing Commands 



Ctrl-Key Combination 


Description 


Ctrl-A 


Moves to the first character on the command line. 


Ctrl-B 


Moves the cursor back one character. 


Ctrl-C 


Escapes and terminates command prompts and ongoing tasks 
(such as lengthy displays), and displays a fresh command 
prompt. 


Ctrl-D 


Deletes the character at the cursor. 
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Table 2.2: CLI Line Editing Commands (Continued) 



Ctrl-Key Combination 


Description 


Ctrl-E 


Moves to the end of the current command line. 


Ctrl-F 


Moves the cursor forward one character. 


Ctrl-K 


Deletes all characters from the cursor to the end of the command 
line. 


Ctrl-L; Ctrl-R 


Repeats the current command line on a new line. 


Ctrl-N 


Enters the next command line in the history buffer. 


Ctrl-P 


Enters the previous command line in the history buffer. 


Ctrl-U; Ctrl-X 


Deletes all characters from the cursor to the beginning of the 
command line. 


Ctrl-W 


Deletes the last word you typed. 


Ctrl-Z 


Moves from any CONFIG level of the CLI to the Privileged EXEC 
level; at the Privileged EXEC level, moves to the User EXEC 
level. 



For a complete list of CLI commands and syntax information for each command, see the Command Line Interface 
Reference. 

Logging On Through the Web Management Interface 

To use the Web management interface, open a web browser and enter the IP address of the HP device in the 
Location or Address field. The web browser contacts the HP device and displays a login dialog, as shown in 
Figure 2.12. 



NOTE: If you are unable to connect with the switch or routing switch through a Web browser due to a proxy prob- 
lem, it may be necessary to set your Web browser to direct Internet access instead of using a proxy. For informa- 
tion on how to change a proxy setting, refer to the online help provided with your Web browser. 



Enter Network Password 






Please type your user name and password. 






Site: 


209.157.22.1 






Realm 


Web Management 






User Name 


|set 






Password 








l~~ Save this password in your password list 








I 0K I 


Cancel ] 









Figure 2.12 Web management interface login dialog 

By default, you can use the user name "get" and the default read-only password "public" for read-only access. 
However, for read-write access, you must enter "set" for the user name, and enter a read-write community string 
that you have configured on the device for the password. There is no default read-write community string. You 
must add one. See "Establishing SNMP Community Strings" on page 3-13. 
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As an alternative to using the SNMP community strings to log in, you can configure the device to secure Web 
management access using local user accounts, a RADIUS authentication server, or a TACACS/TACACS+ server. 
See "Securing Access Methods" on page 3-2. 

On the HP 9304M or HP 9308M, if you have configured a greeting banner (using the banner motd CLI 
command), a panel with the greeting is displayed first. Click on the Login link to proceed to the Login dialog. Here 
is an example of the greeting panel: 



|7^| HEWLETT" ProCurve 9308 
ml'EM PACKARD HP ,141 38 A 




Using the Web Management Interface 

When you log into a device, the System configuration panel is displayed. This panel allows you to enable or 
disable major system features. You can return to this panel from any other panel by selecting the Home link. 

The Site Map link gives you a view of all available options on a single screen. 

The left pane of the Web management interface window contains a "tree view," similar to the one found in 
Windows Explorer. Configuration options are grouped into folders in the tree view. These folders, when 
expanded, reveal additional options. To expand a folder, click on the plus sign to the left of the folder icon. 

You can configure the appearance of the Web management interface by using one of the following methods. 

USING THE CLI 

Using the CLI, you can modify the appearance of the Web management interface with the web-management 
command. 

To cause the Web management interface to display the List view by default: 

HP9300 (conf ig) # web-management list-menu 
To disable the front panel frame: 

HP9300 (conf ig) # no web-management front-panel 

When you save the configuration with the write memory command, the changes will take place the next time you 
start the Web management interface, or if you are currently running the Web management interface, the changes 
will take place when you click the Refresh button on your browser. 

USING THE WEB MANAGEMENT INTERFACE 

1 . Click on the plus sign next to Configure in the tree view to expand the list of configuration options. 

2. Click on the plus sign next to System in the tree view to expand the list of system configuration links. 

3. Click on the plus sign next to Management in the tree view to expand the list of system management links. 

4. Click on the Web Preference link to display the Web Management Preferences panel. 
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Enable or disable elements on the Web management interface by clicking on the appropriate radio buttons on 
the panel. The following figure identifies the elements you can change. 



Menu Type 
(Tree View 
shown) 



Menu Frame 



Management - Netscape 



File Edit View Jaa ^ornriiunicalor Help 
j£ Bookmarks Jt/ Location: ]H! 




*a a. Esl s* t£ H 

[.ward Reload Home Search Netscape F'nrih Security Slop 

^ WebMail Q| Contact Q| People Q| Yellow Pages ^ Download Q| Find S 



(fjl" What's Related ™| 



D? Address 
Clock 



Management 



Policy Eased VLANs T Port T L3 Protocol 

Spanning Tree Disable r Enable V Single W Fast 

QOS C Stnct E Weighted 

L2 Switching r Disable f* Enable 

OSPF E Disable C Enable 

RIP B Disable C Enable 

IPX <* Disable C Enable 

DVIUHP © Disable (~ Enable 

PIM 8 Disable C Enable 

SHP E Disable (~ Enable 

APPIEIALK * Disable (~ Enable 

BGP 8 Disable C Enable Doc al AS |°_J 

VELM e Disable C Enable 

Advance... Apply | Reset | 



[HomeltSite MaEirLogoutirSaiiiirErame Enable IDis able 1 rTEDNETl . 




Name: [TELNET) 



Front Panel 



Front Panel 
Frame 



Page Menu 
Bottom Frame 



NOTE: The tree view is available when you use the Web management interface with Netscape 4.0 or higher 
or Internet Explorer 4.0 or higher browsers. If you use the Web management interface with an older browser, 
the Web management interface displays the List view only, and the Web Management Preferences panel 
does not include an option to display the tree view. 



6. When you have finished, click the Apply button on the panel, then click the Refresh button on your browser to 
activate the changes. 

7. To save the configuration, click the plus sign next to the Command folder, then click the Save to Flash link. 



NOTE: The only changes that become permanent are the settings to the Menu Type and the Front Panel 
Frame. Any other elements you enable or disable will go back to their default settings the next time you start 
the Web management interface. 



13. Swapping Modules (Chassis Devices only) 

After you physically insert a module into a Chassis device, you need to enter the location and type of module in 
the software, unless you either reboot the device or are replacing one module with another of the same type. 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 

Slots on the HP 9308M are numbered 1 - 8, from left to right. 

See "Slot and Port Numbers" on page 8-8 for more information about slot and port numbering. 
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NOTE: If the slot has never contained a module or you are swapping in exactly the same type of module, you do 
not need to use the module command. The slot requires configuration only if it has already been configured for 
another type of module. 

USING THE CLI 

To add a module to a Chassis device: 

HP9300 (conf ig) # module 3 24-port-copper-module 

Syntax: module <slot-num> <module-type> 

The <slot-num> parameter indicates the Chassis device slot number. 

The <module-type> parameter can be one of the following. You can, of course, take advantage of the CLI's 
support for abbreviated command and parameter names. 



NOTE: Some module strings apply to more than one module. This is because the slot configuration does not dif- 
fer based on the physical layer. For example, a slot does not distinguish between an 8-port LX Fiber module and 
8-port SX Fiber module. However, the software does indicate the physical layer type when you display module 
information. For example, the output of the show module command indicates the physical layer types of each 
module. 



Table 2.3: Module Options 



Module Type 


Part Number and Description 


Module String 


Redundant Management 
modules (MM) 


J4845A 

HP ProCurve 9300 GigLX 
Redundant Management Module 
(8-port) 


8-port-gig-management-module 


J4846A 

HP ProCurve 9300 GigSX 
Redundant Management Module 
(8-port) 


8-port-gig-management-module 


J4847A 

J4847A HP ProCurve 9300 
Redundant Management Module 
(0-port) 


0-port-management-module 


Management modules (Ml) 


J4141A 

ProCurve 9300 10/100 
Management Module (16-port) 


1 6-port-copper-management- 
module 


J4144A 

HP ProCurve 9300 Gigabit SX 
Management Module (8-port) 


8-port-gig-management-module 


J4146A 

HP ProCurve 9300 Gigabit 4LX/ 
4SX Management Module (8- 
port) 


8-port-gig-management-module 
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Table 2.3: Module Options (Continued) 



Module Type 


Part Number and Description 


Module String 


Unmanaged modules 


l/IQ/IO A 

ProCurve 9300 1000Base-T 
Module (8-port) 


Q r"\*~\»"+ /lift ^/ir^r^i^K mr\ri i 1 

o-porT-gig-copper-rnoauie 


\a 1 /inA 

I H\Jf\ 

HP ProCurve 9300 10/100 
Module (24-port) 


^4-pon-copper-irioauie 


\A 1 AO A 

HP ProCurve 9300 100Base FX 
Module (24-port MT-RJ) 


^^-pon- 1 uuTx-mouuie 


\A 1 /1QA 

HP ProCurve 9300 Gigabit SX 
Module (8-port) 


o-porT-gig-moauie 


\A 1 AG, A 

HP ProCurve 9300 Gigabit 4LX/ 
4SX Module (8-port) 


o pur L - y iy - i i hjuuic; 


J4844A 

HP ProCurve 9300 GigLX 
Module (8-port) 


8-port-gig-module 
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USING THE WEB MANAGEMENT INTERFACE 

To configure a chassis slot for a module: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the Module link to display the Module panel, as shown in the following example. 



Module 



Mi 


Module 






Starting MAC 










i 


8 Port Gig Management Module 


OK 


8 


00e0.52f0.4f00 


Delete | 


2 


None 






Delete | 


3 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f40 


Delete | 


4 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f50 


Delete | 


5 


None 






Delete | 


6" 


None 




Delete | 


7 


None 


Delete | 


8 


None 


Delete | 




Module 




Starting MAC 





[Add Modulel 

[Home 11 Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNETl 



3. Click the Add Module link to display the following panel. 



Module 



Slot: 


F3 


Module Type: 


|8-port-gig-module T | 



Add | Delete | Reset | 
[Show! 

[Home 11 Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNETl 



4. Select slot number from the Slot pulldown menu. 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 
Slots on the HP 9308M are numbered 1 - 8, from left to right. 

5. Select the module type from the Module Type pulldown menu. 

6. Click the Add button to save the change to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 
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14. Next Steps 

Once the initial installation steps are completed, you can proceed with enabling routing protocols and configuring 
specific features on the switch or routing switches as described in "Configuring Basic Features" on page 9-1. 

Configuration details for all routing protocols and advanced VLAN features can be found in the Advanced 
Configuration and Management Guide. 
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Chapter 3 
Securing Access 



This chapter outlines the physical installation and network connection for the HP 9304M, HP 9308M, and HP 
6308M-SX routing switches and the HP 6208M-SX switch. 

The HP 9304M, HP 9308M, and HP 6308M-SX routing switches and the HP 6208M-SX switch provide the 
following methods for securing access to the device. You can use one or more of these methods: 

• "Securing Access Methods" on page 3-2 lists the management access methods available on an HP device 
and the ways you can secure each one 

"Restricting Remote Access to Management Functions" on page 3-3 explains how to restrict access to 
management functions from remote sources, including Telnet and the Web management interface. 

"Setting Passwords" on page 3-8 explains how to set passwords for Telnet access and management privilege 
levels 

• "Setting Up Local User Accounts" on page 3-11 explains how to define user accounts to regulate who can 
access management functions 

• "Establishing SNMP Community Strings" on page 3-13 explains how to configure SNMP read-only and read- 
write community strings on an HP device 

"Configuring TACACS/TACACS+ Security" on page 3-16 explains how to configure TACACSATACACS+ 
authentication, authorization, and accounting 

• "Configuring RADIUS Security" on page 3-31 explains how to configure RADIUS authentication, 
authorization, and accounting 

• "Configuring Authentication-Method Lists" on page 3-44 explains how to set the order that authentication 
methods are consulted when more than one is used with an access method 
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Securing Access Methods 



The following table lists the management access methods available on an HP device, how they are secured by 
default, and the ways in which they can be secured. 

Table 3.1 : Ways to secure management access to HP devices 



Access method 


How the access 
method is secured 
by default 


Ways to secure the access method 


See 
page 


Serial access to the CLI 


Not secured 


Establish passwords for management privilege 
levels 


3-9 


Access to the Privileged EXEC 
and CONFIG levels of the CLI 


Not secured 


Establish a password for Telnet access to the 
CLI 


3-8 


Establish passwords for management privilege 
levels 


3-9 


Set up local user accounts 


3-11 


Configure TACACS/TACACS+ security 


3-16 


Configure RADIUS security 


3-31 


Telnet access 


Not secured 


Regulate Telnet access using ACLs 


3-4 


Allow Telnet access only from specific IP 
addresses 


3-5 


Allow Telnet access only to clients connected 
to a specific VLAN 


3-6 


Disable Telnet access 


3-7 


Establish a password for Telnet access 


3-8 


Establish passwords for privilege levels of the 
CLI 


3-9 


Set up local user accounts 


3-11 


Configure TACACS/TACACS+ security 


3-16 


Configure RADIUS security 


3-31 


Secure Shell (SSH) access 


Not configured 


Configure SSH 


4-1 


Establish passwords for privilege levels of the 
CLI 


3-9 


Set up local user accounts 


3-11 


Configure TACACS/TACACS+ security 


3-16 


Configure RADIUS security 


3-31 
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Table 3.1 : Ways to secure management access to HP devices (Continued) 



Access method 


How the access 
method is secured 
by default 


Ways to secure the access method 


See 
page 


Web management access 


SNMP read or read- 
write community 
strings 


Regulate Web management access using 
ACLs 


3-4 


Allow Web management access only from 
specific IP addresses 


3-5 


Allow Web management access only to clients 
connected to a specific VLAN 


3-6 


Disable Web management access 


3-7 


Set up local user accounts 


3-11 


Establish SNMP read or read-write community 
strings 


3-13 


Configure TACACS/TACACS+ security 


3-16 


Configure RADIUS security 


3-31 


TFTP access 


Not secured 


Allow TFTP access only to clients connected 
to a specific VLAN 


3-6 



Restricting Remote Access to Management Functions 

You can restrict access to management functions from remote sources, including Telnet, the Web management 
interface, and SNMP. The following methods for restricting remote access are supported: 

Using ACLs to restrict Telnet, Web management interface, or SNMP access 

• Allowing remote access only from specific IP addresses 

• Allowing remote access only to clients connected to a specific VLAN 

Specifically disabling Telnet, Web management interface, or SNMP access to the device 
The following sections describe how to restrict remote access to an HP device using these methods. 

Using ACLs to Restrict Remote Access 

You can use standard ACLs to control the following access methods to management functions on an HP device: 
Telnet access 
Web management access 

• SNMP access 

To configure access control for these management access methods: 

1 . Configure an ACL with the IP addresses you want to allow to access the device 

2. Configure a Telnet access group, web access group, and SNMP community strings. Each of these 
configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses 
that can use the access method. 

The following sections present examples of how to secure management access using ACLs. See the "Using 
Access Control Lists (ACLs)" chapter in the Advanced Configuration and Management Guide for more information 
on configuring ACLs. 
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Using an ACL to Restrict Telnet Access 

To configure an ACL that restricts Telnet access to the device, enter commands such as the following: 

HP9300 (conf ig) # access-list 10 deny host 209.157.22.32 log 

HP9300 (conf ig) # access-list 10 deny 209.157.23.0 0.0.0.255 log 

HP9300 (conf ig) # access-list 10 deny 209.157.24.0 0.0.0.255 log 

HP9300 (conf ig) # access-list 10 deny 209.157.25.0/24 log 
HP9300 (conf ig) # access-list 10 permit any 

HP9300 (conf ig) # telnet access-group 10 
HP9300 (conf ig) # write memory 

Syntax: telnet access-group <num> 

The <num> parameter specifies the number of a standard ACL and must be from 1 - 99. 

The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device 
allows Telnet access to all IP addresses except those listed in ACL 10. 

To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. 
For example: 

HP9300 (conf ig) # access-list 10 permit host 209.157.22.32 
HP9300 (conf ig) # access-list 10 permit 209.157.23.0 0.0.0.255 
HP9300 (conf ig) # access-list 10 permit 209.157.24.0 0.0.0.255 
HP9300 (conf ig) # access-list 10 permit 209.157.25.0/24 
HP9300 (conf ig) # telnet access-group 10 
HP9300 (conf ig) # write memory 

The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet 
access from all other IP addresses. 

Using an ACL to Restrict Web Management Access 

To configure an ACL that restricts Web management access to the device, enter commands such as the following: 

HP9300 (conf ig) # access-list 12 deny host 209.157.22.98 log 
HP9300 (conf ig) # access-list 12 deny 209.157.23.0 0.0.0.255 log 
HP9300 (conf ig) # access-list 12 deny 209.157.24.0/24 log 
HP9300 (conf ig) # access-list 12 permit any 
HP9300 (conf ig) # web access-group 12 
HP9300 (conf ig) # write memory 

Syntax: web access-group <num> 

The <num> parameter specifies the number of a standard ACL and must be from 1 - 99. 

These commands configure ACL 12, then apply the ACL as the access list for Web management access. The 
device denies Web management access from the IP addresses listed in ACL 12 and permits Web management 
access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny 
Web management access from all IP addresses. 



NOTE: In this example, the command web access-group 10 could have been used to apply the ACL configured 
in the example for Telnet access. You can use the same ACL multiple times. 



Using ACLs to Restrict SNMP Access 

To restrict SNMP access to the device using ACLs, enter commands such as the following: 



NOTE: The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and Web 
management access using ACLs. 



HP9300 (conf ig) # access-list 25 deny host 209.157.22.98 log 
HP9300 (conf ig) # access-list 25 deny 209.157.23.0 0.0.0.255 log 
HP9300 (conf ig) # access-list 25 deny 209.157.24.0 0.0.0.255 log 
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HP9300 (conf ig) # access-list 30 deny 209.157.25.0 0.0.0.255 log 

HP9300 (conf ig) # access-list 30 deny 209.157.26.0/24 log 

HP9300 (conf ig) # access-list 30 permit any 

HP9300 (conf ig) # snmp-server community public ro 25 

HP9300 (conf ig) # snmp-server community private rw 30 

HP9300 (conf ig) # write memory 

Syntax: snmp-server community <string> ro I rw <num> 

The <string> parameter specifies the SNMP community string the user must enter to gain SNMP access. 

The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter indicates 
the community string is for read-write ("set") access. 

The <num> parameter specifies the number of a standard ACL and must be from 1 - 99. 

These commands configure ACLs 25 and 30, then apply the ACLs to community strings. 

ACL 25 is used to control read-only access using the "public" community string. ACL 30 is used to control read- 
write access using the "private" community string. 

Restricting Remote Access to the Device to Specific IP Addresses 

By default, an HP device does not control remote management access based on the IP address of the managing 
device. You can restrict remote management access to a single IP address for the following access methods: 

• Telnet access 

• Web management access 

• SNMP access 

In addition, if you want to restrict all three access methods to the same IP address, you can do so using a single 
command. 

The following examples show the CLI commands for restricting remote access. You can specify only one IP 
address with each command. However, you can enter each command ten times to specify up to ten IP addresses. 

NOTE: You cannot restrict remote management access using the Web management interface. 
Restricting Telnet Access to a Specific IP Address 

To allow Telnet access to the HP device only to the host with IP address 209.157.22.39, enter the following 
command: 

HP9300 (conf ig) # telnet-client 209.157.22.39 
Syntax: [no] telnet-client <ip-addr> 

Restricting Web Management Access to a Specific IP Address 

To allow Web management access to the HP device only to the host with IP address 209.157.22.26, enter the 
following command: 

HP9300 (conf ig) # web-client 209.157.22.26 
Syntax: [no] web-client <ip-addr> 

Restricting All Remote Management Access to a Specific IP Address 

To allow Telnet, Web, and SNMP management access to the HP device only to the host with IP address 
209.157.22.69, you can enter three separate commands (one for each access type) or you can enter the following 
command: 

HP9300 (conf ig) # all-client 209.157.22.69 
Syntax: [no] all-client <ip-addr> 



3-5 



Installation and Getting Started Guide 



Restricting Remote Access to the Device to Specific VLAN IDs 

You can restrict management access to an HP device to ports within a specific port-based VLAN. VLAN-based 
access control applies to the following access methods: 

Telnet access 

Web management access 

• SNMP access 

TFTP access 

By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given 
access method based on VLAN ID, access to the device using that method is restricted to only the ports within the 
specified VLAN. 

VLAN-based access control works in conjunction with other access control methods. For example, suppose you 
configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based 
access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that 
have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN. 
Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot 
access the device through Telnet. 

Restricting Telnet Access to a Specific VLAN 

To allow Telnet access only to clients in a specific VLAN, enter a command such as the following: 

HP9300 (conf ig) # telnet server enable vlan 10 

The command in this example configures the device to allow Telnet management access only to clients connected 
to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management 
access. 

Syntax: [no] telnet server enable vlan <vlan-id> 

Restricting Web Management Access to a Specific VLAN 

To allow Web management access only to clients in a specific VLAN, enter a command such as the following: 

HP9300 (conf ig) # web-management enable vlan 10 

The command in this example configures the device to allow Web management access only to clients connected 
to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management 
access. 

Syntax: [no] web-management enable vlan <vlan-id> 
Restricting SNMP Access to a Specific VLAN 

To allow SNMP access only to clients in a specific VLAN, enter a command such as the following: 

HP9300 (conf ig) # snmp-server enable vlan 40 

The command in this example configures the device to allow SNMP access only to clients connected to ports 
within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. 

Syntax: [no] snmp-server enable vlan <vlan-id> 

Restricting TFTP Access to a Specific VLAN 

To allow TFTP access only to clients in a specific VLAN, enter a command such as the following: 

HP9300 (conf ig) # tftp client enable vlan 40 

The command in this example configures the device to allow TFTP access only to clients connected to ports within 
port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. 

Syntax: [no] tftp client enable vlan <vlan-id> 
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Disabling Specific Access Methods 

You can specifically disable the following access methods: 

• Telnet access 

• Web management access 

• SNMP access 

NOTE: If you disable Telnet access, you will not be able to access the CLI except through a serial connection to 
the management module. If you disable SNMP access, you will not be able to use third-party SNMP management 
applications. 

Disabling Telnet Access 

Telnet access is enabled by default. You can use a Telnet client to access the CLI on the device over the network. 
If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from 
establishing CLI sessions with the device, enter the following command: 

HP9300 (conf ig) # no telnet-server 

To re-enable Telnet operation, enter the following command: 

HP9300 (conf ig) # telnet-server 

Syntax: [no] telnet-server 

Disabling Web Management Access 

If you want to prevent access to the device through the Web management interface, you can disable the Web 
management interface. 

NOTE: As soon as you make this change, the device stops responding to Web management sessions. If you 
make this change using your Web browser, your browser can contact the device, but the device will not reply once 
the change takes place. 

USING THE CLI 

To disable the Web management interface, enter the following command: 

HP9300 (conf ig) # no web-management 

To re-enable the Web management interface, enter the following command: 

HP9300 (conf ig) # web-management 

Syntax: [no] web-management 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Management link from the System configuration panel to display the Management panel. 

3. Click Disable next to Web Management. 

4. Click the Apply button to save the change to the device's running-config file. 

5. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 
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Setting Passwords 

Passwords can be used to secure the following access methods: 

Telnet access can be secured by setting a Telnet password. See "Setting a Telnet Password" on page 3-8. 

• Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting passwords for 
management privilege levels. See "Setting Passwords for Management Privilege Levels" on page 3-9. 

This section also provides procedures for enhancing management privilege levels, recovering from a lost 
password, and disabling password encryption. 

NOTE: You also can configure up to 1 6 user accounts consisting of a user name and password, and assign each 
user account a management privilege level. See "Setting Up Local User Accounts" on page 3-11 . 



Setting a Telnet Password 

By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can 
assign a password for Telnet access using one of the following methods. 

USING THE CLI 

To set the password "letmein" for Telnet access to the CLI, enter the following command at the global CONFIG 
level: 

HP9300 (conf ig) # enable telnet password letmein 
Syntax: [no] enable telnet password <string> 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Management link from the System configuration panel to display the Management panel. 

3. Enter the password in the Telnet Password field. 

4. Click the Apply button to save the change to the device's running-config file. 

5. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Suppressing Telnet Connection Rejection Messages 

By default, if an HP device denies Telnet management access from client, the software sends a message to the 
denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied 
Telnet client does not receive a message from the HP device. Instead, the denied client simply does not gain 
access. 

To suppress the connection rejection message, use the following CLI method. 
USING THE CLI 

To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following 
command at the global CONFIG level of the CLI: 

HP9300 (conf ig) # telnet server suppress-rej ect-message 

Syntax: [no] telnet server suppress-reject-message 

USING THE WEB MANAGEMENT INTERFACE 

You cannot configure this option using the Web management interface. 
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Setting Passwords for Management Privilege Levels 

You can set one password for each of the following management privilege levels: 

• Super User level - Allows complete read-and-write access to the system. This is generally for system 
administrators and is the only management privilege level that allows you to configure passwords. 

Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) 
parameters. 

• Read Only level - Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with 
read access. 

You can assign a password to each management privilege level. You also can configure up to 16 user accounts 
consisting of a user name and password, and assign each user account to one of the three privilege levels. See 
"Setting Up Local User Accounts" on page 3-11. 

NOTE: You must use the CLI to assign a password for management privilege levels. You cannot assign a 
password using the Web management interface. 

If you configure user accounts in addition to privilege level passwords, the device will validate a user's access 
attempt using one or both methods (local user account or privilege level password), depending on the order you 
specify in the authentication-method lists. See "Configuring Authentication-Method Lists" on page 3-44. 

USING THE CLI 

To set passwords for management privilege levels: 

1 . At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode: 

HP9300> enable 
HP9300# 

2. Access the CONFIG level of the CLI by entering the following command: 

HP9300# configure terminal 
HP9300 (conf ig) # 

3. Enter the following command to set the Super User level password: 

HP9300 (conf ig) # enable super-user-password <text> 

NOTE: You must set the Super User level password before you can set other types of passwords. 

4. Enter the following commands to set the Port Configuration level and Read Only level passwords: 

HP9300 (conf ig) # enable port-conf ig-password <text> 
HP9300 (conf ig) # enable read-only-password <text> 

NOTE: If you forget your Super User level password, see "Recovering from a Lost Password" on page 3-10. 
Augmenting Management Privilege Levels 

Each management privilege level provides access to specific areas of the CLI by default: 
Super User level provides access to all commands and displays. 
Port Configuration level gives access to: 

The User EXEC and Privileged EXEC levels 

The port-specific parts of the CONFIG level 
• All interface configuration levels 
Read Only level gives access to: 

The User EXEC and Privileged EXEC levels 
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You can grant additional access to a privilege level on an individual command basis. To grant the additional 
access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the 
individual command. 



NOTE: This feature applies only to management privilege levels on the CLI. You cannot augment management 
access levels for the Web management interface. 

To enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG 
level: 

HP9300 (conf ig) # privilege configure level 4 ip 

In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of 
the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port 
Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter 
indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level 
user names and passwords can enter commands that begin with "ip" at the global CONFIG level. 

Syntax: [no] privilege <cli-level> level <privilege-level> <command-string> 

The <cli-level> parameter specifies the CLI level and can be one of the following values: 

exec - EXEC level; for example, HP9300> or HP9300# 

configure - CONFIG level; for example, HP9300 (conf ig) # 

• interface - Interface level; for example, HP9300 (conf ig-if -6) # 

• virtual-interface - Virtual-interface level; for example, HP9300 (conf ig-vif -6) # 

• rip-router - RIP router level; for example, HP9300 (conf ig-rip-router) # 

• ospf-router - OSPF router level; for example, HP9300 (conf ig-ospf -router) # 

• dvmrp-router - DVMRP router level; for example, HP9300 (conf ig-dvmrp-router) # 

• pim-router - PIM router level; for example, HP9300 (conf ig-pim-router) # 

• bgp-router - BGP4 router level; for example, HP9300 (conf ig-bgp-router) # 

• port-vlan - Port-based VLAN level; for example, HP9300 (conf ig-vlan) # 

• protocol-vlan - Protocol-based VLAN level 

The <privilege-level> indicates the number of the management privilege level you are augmenting. You can 
specify one of the following: 

0 - Super User level (full read-write access) 

• 4 - Port Configuration level 

• 5 - Read Only level 

The <command-string> parameter specifies the command you are allowing users with the specified privilege level 
to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt. 

Recovering from a Lost Password 

Recovery from a lost password requires direct access to the serial port and a system reset. 

NOTE: You can perform this procedure only from the CLI. 
To recover from a lost password: 

1 . Start a CLI session over the serial interface to the device. 

2. Reboot the device. 

3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode. 
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4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the 
device to bypass the system password check. 

5. Enter boot system flash primary at the prompt. 

6. After the console prompt reappears, assign a new password. 

Disabling Password Encryption 

When you configure a password, then save the configuration to the HP device's flash memory, the password is 
also saved to flash as part of the configuration file. By default, the passwords are encrypted so that the 
passwords cannot be observed by another user who displays the configuration file. Even if someone observes 
the file while it is being transmitted over TFTP, the password is encrypted. 



NOTE: You cannot disable password encryption using the Web management interface. 



If you want to remove the password encryption, you can disable encryption by entering the following command: 

HP9300 (conf ig) # no service password-encryption 
Syntax: [no] service password-encryption 

Setting Up Local User Accounts 

You can define up to 16 local user accounts on an HP device. User accounts regulate who can access the 
management functions in the CLI using the following methods: 

Telnet access 

Web management access 

• SNMP access 

Local user accounts provide greater flexibility for controlling management access to HP devices than do 
management privilege level passwords and SNMP community strings. You can continue to use the privilege level 
passwords and the SNMP community strings as additional means of access authentication. Alternatively, you can 
choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP 
community strings. Local user accounts are backward-compatible with configuration files that contain privilege 
level passwords. See "Setting Passwords for Management Privilege Levels" on page 3-9. 

If you configure local user accounts, you also need to configure an authentication-method list for Telnet access, 
Web management access, and SNMP access. See "Configuring Authentication-Method Lists" on page 3-44. 

For each local user account, you specify a user name. You also can specify the following parameters: 

A password 

• A management privilege level, which can be one of the following: 

Super User level - Allows complete read-and-write access to the system. This is generally for system 
administrators and is the only privilege level that allows you to configure passwords. This is the default. 

• Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) 
parameters. 

• Read Only level - Allows access to the Privileged EXEC mode and CONFIG mode but only with read 
access. 

Configuring a Local User Account 

To configure a local user account, use one of the following methods. 
USING THE CLI 

To configure a local user account, enter a command such as the following at the global CONFIG level of the CLI. 

HP9300 (conf ig) # username wonka password willy 
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This command adds a local user account with the user name "wonka" and the password "willy". This account has 
the Super User privilege level; this user has full access to all configuration and display features. 



NOTE: If you configure local user accounts, you must grant Super User level access to at least one account 
before you add accounts with other privilege levels. You need the Super User account to make further 
administrative changes. 



HP9300 (conf ig) # username waldo privilege 5 password whereis 

This command adds a user account for user name "waldo", password "whereis", with the Read Only privilege 
level. Waldo can look for information but cannot make configuration changes. 

Syntax: [no] username <user-string> privilege <privilege-level> password I nopassword <password-string> 
The privilege parameter specifies the privilege level for the account. You can specify one of the following: 

• 0 - Super User level (full read-write access) 

• 4 - Port Configuration level 

• 5 - Read Only level 

The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the 
command without privilege 0, as shown in the command example above. 

The password I nopassword parameter indicates whether the user must enter a password. If you specify 
password, enter the string for the user's password. 



NOTE: You must be logged on with Super User access (privilege level 0) to add user accounts or configure other 
access parameters. 



To display user account information, enter the following command: 

HP9300 (conf ig) # show users 
Syntax: show users 

USING THE WEB MANAGEMENT INTERFACE 

To configure a local user account using the Web management interface, use the following procedure. 

NOTE: Before you can add a local user account using the Web management interface, you must enable this 
capability by entering the password any command at the global CONFIG level of the CLI. 



1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Management link from the System configuration panel to display the Management panel. 

3. Select the User Account link. 

• If any user accounts are already configured on the device, the account information is listed in a table. 
Select the Add User Account link to display the following panel. Notice that the password display is 
encrypted. If you want the passwords to be displayed in clear text, you can use the CLI to disable 
encryption of password displays. See "Disabling Password Encryption" on page 3-11 . 

If the device does not have any user accounts configured, the following panel is displayed. 
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User Account 



Username: 


| rchase 


Password: 


|snapper] 


Privilege: 


|0 (Read-Write) j^J 



| Add] Delete | Reset | 
[Show] 

[Home] [Bite M ap] [Lo gout] [ S ave] [Frame Enable | Dis able] [TELNET] 

4. Enter the user name in the User Name field. The name cannot contain blanks. 

5. Enter the password in the Password field. The password cannot contain blanks. 

6. Select the management privilege level from the Privilege pulldown menu. You can select one of the following: 

• 0 (Read-Write) - equivalent to Super User level access. The user can display and configure everything. 

• 4 (Port-Config) - allows the user to configure port parameters but not global parameters. 

• 5 (Read-Only) - allows the user to display information but not to make configuration changes. 

7. Click the Add button to save the change to the device's running-config file. 

8. Repeat steps 4 - 7 for each user account. You can add up to 16 accounts. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Establishing SNMP Community Strings 

The default passwords for Web management access are actually the SNMP community strings configured on the 
device. 

• The default read-only community string is "public". To open a read-only Web management session, enter 
"get" and "public" for the user name and password. 

• There is no default read-write community string. Thus, by default, you cannot open a read-write management 
session using the Web management interface. You first must configure a read-write community string using 
the CLI. Then you can log on using "set" as the user name and the read-write community string you configure 
as the password. 

You can configure as many additional read-only and read-write community strings as you need. The number of 
strings you can configure depends on the memory on the device. There is no practical limit. 

The Web management interface supports only one read-write session at a time. When a read-write session is 
open on the Web management interface, subsequent sessions are read-only, even if the session login is "set" with 
a valid read-write password. 



NOTE: If you delete the startup-config file, the device automatically re-adds the default "public" read-only 
community string the next time you load the software. 



NOTE: As an alternative to the SNMP community strings, you can secure Web management access using local 
user accounts or ACLs. See "Setting Up Local User Accounts" on page 3-11 or "Using an ACL to Restrict Web 
Management Access" on page 3-4. 
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Encryption of SNMP Community Strings 

The software automatically encrypts SNMP community strings. Users with read-only access or who do not have 
access to management functions in the CLI cannot display the strings. For users with read-write access, the 
strings are encrypted in the CLI but are shown in the clear in the Web management interface. 

Encryption is enabled by default. You can disable encryption for individual strings or trap receivers if desired. See 
the next section for information about encryption. 

Adding an SNMP Community String 

To add a community string, use either of the following methods. When you add a community string, you can 
specify whether the string is encrypted or clear. By default, the string is encrypted. 

USING THE CLI 

To add an encrypted community string, enter commands such as the following: 

HP9300 (conf ig) # snmp-server community private rw 
HP9300 (conf ig) # write memory 

Syntax: snmp-server community [0 11] <string> ro I rw 

The <string> parameter specifies the community string name. The string can be up to 32 characters long. 

The ro I rw parameter specifies whether the string is read-only (ro) or read-write (rw). 

The 0 1 1 parameter affects encryption for display of the string in the running-config and the startup-config file. 
Encryption is enabled by default. When encryption is enabled, the community string is encrypted in the CLI 
regardless of the access level you are using. In the Web management interface, the community string is 
encrypted at the read-only access level but is visible at the read-write access level. 

The encryption option can be omitted (the default) or can be one of the following. 

• 0 - Disables encryption for the community string you specify with the command. The community string is 
shown as clear text in the running-config and the startup-config file. Use this option of you do not want 
display of the community string to be encrypted. 

1 - Assumes that the community string you enter is the encrypted form, and decrypts the value before using 
it. 



NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display 
of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default 
behavior. 

If you specify encryption option 1 , the software assumes that you are entering the encrypted form of the 
community string. In this case, the software decrypts the community string you enter before using the value for 
authentication. If you accidentally enter option 1 followed by the clear-text version of the community string, 
authentication will fail because the value used by the software will not match the value you intended to use. 



The command in the example above adds the read-write SNMP community string "private". When you save the 
new community string to the startup-config file (using the write memory command), the software adds the 
following command to the file: 

snmp-server community 1 <encrypted-String> rw 

To add an non-encrypted community string, you must explicitly specify that you do not want the software to 
encrypt the string. Here is an example: 

HP9300 (conf ig) # snmp-server community 0 private rw 
HP9300 (conf ig) # write memory 

The command in this example adds the string "private" in the clear, which means the string is displayed in the 
clear. When you save the new community string to the startup-config file, the software adds the following 
command to the file: 

snmp-server community 0 private rw 



3-14 



Securing Access 



Displaying the SNMP Community Strings 

To display the configured community strings, enter the following command at any CLI level: 

HP9300 (conf ig) # show snmp server 
Syntax: show snmp server 

See the Command Line Interface Reference for an example of the information displayed by the command. 
NOTE: If display of the strings is encrypted, the strings are not displayed. Encryption is enabled by default. 



USING THE WEB MANAGEMENT INTERFACE 



NOTE: To make configuration changes, including changes involving SNMP community strings, you must first 
configure a read-write community string using the CLI. Alternatively, you must configure another authentication 
method and log on to the CLI using a valid password for that method. 



1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 



NOTE: If you have configured the device to secure Web management access using local user accounts, 
you must instead enter the user name and password of one of the user accounts. See "Setting Up Local User 
Accounts" on page 3-11. 



HE 



Uancel 



1 . Select the Management link from the System configuration panel to display the following panel. 



Management 



Web Management: | C Disable | ^ Enable 


SNMP: | r Disable ^ Enable 


TELNET: 


O Disable | Enable 


| Telnet Authentication: 


f* - Disable | C Enable 


Telnet Time Out: 


D 


Telnet Password: 


I II 



Apply | Reset 



[Web Preference! [User Ac count! [Authentication Methods! [System Log! 
[Community String! [Trap! [Trap Receiver! 

[Home! [Site Map! [Logout! [Save! [Frame Enable | Dis able! [TELNET! 



Enter Network Password 



Please type your user name and password. 
Site: 209.157.22.1 
Realm V/eb Management 



User Name set 
Password 



l~~ Save this password in your password list 



□ K 
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2. Select the Community String link to display the SNMP Community String panel, as shown in the following 
example. This example shows the table listed for a system that is configured only with the default read-only 
community string "public". 



SNMP Community String 





Community String 


j 


get 


public 


Delete | 




BSE 


Community String 





[Add Community String 1 
[Home IF Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 

3. Select the Add Community String link to display a panel such as the following. 



SNMP Community String 



Type: 


O Get 


© Set 


Community String: 


[private 


Encrypt: 


0 





Add | Delete | Reset | 
[Showl 

[Home 1[ Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 



4. Select the community string type: 

• Select Get for a read-only string. 

• Select Set for a read-write string. 

5. Enter the community string in the Community String field. 

6. Select the Encrypt checkbox to remove the checkmark if you want to disable encryption of the string display. 
Encryption prevents other users from seeing the string in the CLI or Web management interface. If you 
disable encryption, other users can view the community string. Encryption is enabled by default. 

To re-enable encryption, select the checkbox to place a checkmark in the box. 

7. Click the Add button to save the change to the device's running-config file. 

8. Repeat steps 5 - 7 for each string you want to add. You can add as many strings as you need. The limit 
depends only on the available system memory. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Configuring TACACS/TACACS+ Security 

You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to 
authenticate the following kinds of access to the HP device 

• Telnet access 

• SSH access 
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• Web management access 

Access to the Privileged EXEC level and CONFIG levels of the CLI 

The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is 
sent between an HP device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+ 
services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server 
running. 

How TACACS+ Differs from TACACS 

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is 
an enhancement to TACACS and uses TCP to ensure reliable delivery. 

TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating 
the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the HP 
device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, 
which allow any authentication mechanism to be utilized with the HP device. TACACS+ is extensible to provide 
for site customization and future development features. The protocol allows the HP device to request very precise 
access control and allows the TACACS+ server to respond to each component of that request. 



NOTE: TACACS+ provides for authentication, authorization, and accounting, but an implementation or 
configuration is not required to employ all three. 



TACACS/TACACS+ Authentication, Authorization, and Accounting 

When you configure an HP device to use a TACACS/TACACS+ server for authentication, the device prompts 
users who are trying to access the CLI for a user name and password, then verifies the password with the 
TACACS/TACACS+ server. 

If you are using TACACS+, HP recommends that you also configure authorization, in which the HP device 
consults a TACACS+ server to determine which management privilege level (and which associated set of 
commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes 
the HP device to log information on the TACACS+ server when specified events occur on the device. 



NOTE: In releases prior to 07.1 .10, a user logging into the device via Telnet or SSH would first enter the User 
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level. 

Starting with release 07.1 .10, a user that is successfully authenticated by a RADIUS or TACACS+ server is 
automatically placed at the Privileged EXEC level after login. 



TACACS Authentication 

When TACACS authentication takes place, the following events occur: 

1 . A user attempts to gain access to the HP device by doing one of the following: 

• Logging into the device using Telnet, SSH, or the Web management interface 
Entering the Privileged EXEC level or CONFIG level of the CLI 

2. The user is prompted for a username and password. 

3. The user enters a username and password. 

4. The HP device sends a request containing the username and password to the TACACS server. 

5. The username and password are validated in the TACACS server's database. 

6. If the password is valid, the user is authenticated. 
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TACACS+ Authentication 

When TACACS+ authentication takes place, the following events occur: 

1 . A user attempts to gain access to the HP device by doing one of the following: 

• Logging into the device using Telnet, SSH, or the Web management interface 
Entering the Privileged EXEC level or CONFIG level of the CLI 

2. The user is prompted for a username. 

3. The user enters a username. 

4. The HP device obtains a password prompt from a TACACS+ server. 

5. The user is prompted for a password. 

6. The user enters a password. 

7. The HP device sends the password to the TACACS+ server. 

8. The password is validated in the TACACS+ server's database. 

9. If the password is valid, the user is authenticated. 
TACACS+ Authorization 

HP devices support two kinds of TACACS+ authorization: 

Exec authorization determines a user's privilege level when they are authenticated 

Command authorization consults a TACACS+ server to get authorization for commands entered by the user 
When TACACS+ exec authorization takes place, the following events occur: 

1 . A user logs into the HP device using Telnet, SSH, or the Web management interface 

2. The user is authenticated. 

3. The HP device consults the TACACS+ server to determine the privilege level of the user. 

4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level 
of the user. 

5. The user is granted the specified privilege level. 

When TACACS+ command authorization takes place, the following events occur: 

1 . A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a 
command on the HP device. 

2. The HP device looks at its configuration to see if the command is at a privilege level that requires TACACS+ 
command authorization. 

3. If the command belongs to a privilege level that requires authorization, the HP device consults the TACACS+ 
server to see if the user is authorized to use the command. 

4. If the user is authorized to use the command, the command is executed. 
TACACS+ Accounting 

TACACS+ accounting works as follows: 

1 . One of the following events occur on the HP device: 

• A user logs into the management interface using Telnet or SSH 

• A user enters a command for which accounting has been configured 

• A system event occurs, such as a reboot or reloading of the configuration file 

2. The HP device checks its configuration to see if the event is one for which TACACS+ accounting is required. 
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3. If the event requires TACACS+ accounting, the HP device sends a TACACS+ Accounting Start packet to the 
TACACS+ accounting server, containing information about the event. 

4. The TACACS+ accounting server acknowledges the Accounting Start packet. 

5. The TACACS+ accounting server records information about the event. 

6. When the event is concluded, the HP device sends an Accounting Stop packet to the TACACS+ accounting 
server. 

7. The TACACS+ accounting server acknowledges the Accounting Stop packet. 
AAA Operations for TACACS/TACACS+ 

The following table lists the sequence of authentication, authorization, and accounting operations that take place 
when a user gains access to an HP device that has TACACSATACACS+ security configured. 



User Action 


Applicable AAA Operations 


User attempts to gain access to the 
Privileged EXEC and CONFIG levels of 
the CLI 


Enable authentication: 

aaa authentication enable default <method-list> 


Exec authorization (TACACS+): 

aaa authorization exec default tacacs+ 


System accounting start (TACACS+): 

aaa accounting system default start-stop <method-list> 


User logs in using Telnet/SSH 


Login authentication: 

aaa authentication login default <method-list> 


Exec authorization (TACACS+): 

aaa authorization exec default tacacs+ 


Exec accounting start (TACACS+): 

aaa accounting exec default <method-list> 

System accounting start (TACACS+): 

aaa accounting system default start-stop <method-list> 


User logs into the Web management 
interface 


Web authentication: 

aaa authentication web-server default <method-list> 


Exec authorization (TACACS+): 

aaa authorization exec default tacacs-i- 


User logs out of Telnet/SSH session 


Command authorization for logout command (TACACS+): 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting (TACACS+): 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

EXEC accounting stop (TACACS+): 

aaa accounting exec default start-stop <method-list> 
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User Action 


Applicable AAA Operations 


User enters system commands 
(for example, reload, boot system) 


Command authorization (TACACS+): 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting (TACACS+): 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

System accounting stop (TACACS+): 

aaa accounting system default start-stop <method-list> 


User enters the command: 

[no] aaa accounting system default 
start-stop <method-list> 


Command authorization (TACACS+): 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting (TACACS+): 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

System accounting start (TACACS+): 

aaa accounting system default start-stop <method-list> 


User enters other commands 


Command authorization (TACACS+): 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting (TACACS+): 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 



TACACS/TACACS+ Configuration Considerations 

• You must deploy at least one TACACS/TACACS+ server in your network. 

HP devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to use the 
servers in the order you add them to the device's configuration. 

You can select only one primary authentication method for each type of access to a device (CLI through 
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary 
authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary 
method for the same type of access. However, you can configure backup authentication methods for each 
access type. 

You can configure the HP device to authenticate using a TACACS or TACACS+ server, not both. 
TACACS Configuration Procedure 

For TACACS configurations, use the following procedure: 

1 . Identify TACACS servers. See "Identifying the TACACS/TACACS+ Servers" on page 3-21 . 

2. Set optional parameters. See "Setting Optional TACACSATACACS+ Parameters" on page 3-21 . 

3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/ 
TACACS+" on page 3-22. 

TACACS+ Configuration Procedure 

For TACACS+ configurations, use the following procedure: 

1 . Identify TACACS+ servers. See "Identifying the TACACS/TACACS+ Servers" on page 3-21 . 
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2. Set optional parameters. See "Setting Optional TACACS/TACACS+ Parameters" on page 3-21 , 

3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/ 
TACACS+" on page 3-22. 

4. Optionally configure TACACS+ authorization. See "Configuring TACACS+ Authorization" on page 3-24. 

5. Optionally configure TACACS+ accounting. See "Configuring TACACS+ Accounting" on page 3-25. 

Identifying the TACACS/TACACS+ Servers 

To use TACACS/TACACS+ servers to authenticate access to an HP device, you must identify the servers to the 
HP device. 

For example, to identify three TACACS/TACACS+ servers, enter commands such as the following: 

HP9300 (conf ig) # tacacs-server host 207.94.6.161 
HP9300 (conf ig) # tacacs-server host 207.94.6.191 
HP9300 (conf ig) # tacacs-server host 207.94.6.122 

Syntax: tacacs-server <ip-addr>l<hostname> [auth-port <number>] 

The <ip-addr>l<hostname> parameter specifies the IP address or host name of the server. You can enter up to 
eight tacacs-server host commands to specify up to eight different servers. 



NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the 
ip dns server-address <ip-addr> command at the global CONFIG level. 



If you add multiple TACACS/TACACS+ authentication servers to the HP device, the device tries to reach them in 
the order you add them. For example, if you add three servers in the following order, the software tries the servers 
in the same order: 

1. 207.94.6.161 

2. 207.94.6.191 

3. 207.94.6.122 

You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For 
example, to remove 207.94.6.161, enter the following command: 

HP9300 (conf ig) # no tacacs-server host 207.94.6.161 



NOTE: If you erase a tacacs-server command (by entering "no" followed by the command), make sure you also 
erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (See "Configuring 
Authentication-Method Lists for TACACSATACACS+" on page 3-22.) Otherwise, when you exit from the CONFIG 
mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not 
be able to access the system. 



The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the 
authentication port on the server. The default port number is 49. 

Setting Optional TACACS/TACACS+ Parameters 

You can set the following optional parameters in a TACACS/TACACS+ configuration: 

• TACACS+ key - This parameter specifies the value that the HP device sends to the TACACS+ server when 
trying to authenticate user access. 

• Retransmit interval - This parameter specifies how many times the HP device will resend an authentication 
request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 - 5 
times. The default is 3 times. 

• Dead time - This parameter specifies how long the HP device waits for the primary authentication server to 
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value 
can be from 1 - 5 seconds. The default is 3 seconds. 
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• Timeout - This parameter specifies how many seconds the HP device waits for a response from a TACACS/ 
TACACS+ server before either retrying the authentication request, or determining that the TACACS/ 
TACACS+ servers are unavailable and moving on to the next authentication method in the authentication- 
method list. The timeout can be from 1-15 seconds. The default is 3 seconds. 

Setting the TACACS+ Key 

The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent 
over the network. The value for the key parameter on the HP device should match the one configured on the 
TACACS+ server. The key can be from 1 - 32 characters in length. 



NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are 
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the HP device. 



To specify a TACACS+ server key: 

HP9300 (conf ig) # tacacs-server key rkwong 

Syntax: tacacs-server key <key-string> 

Setting the Retransmission Limit 

The retransmit parameter specifies how many times the HP device will resend an authentication request when 
the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 - 5 times. The default is 3 
times. 

To set the TACACS/TACACS+ retransmit limit: 
HP9300 (conf ig) # tacacs-server retransmit 5 
Syntax: tacacs-server retransmit <number> 
Setting the Dead Time Parameter 

The dead-time parameter specifies how long the HP device waits for the primary authentication server to reply 
before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be 
from 1 - 5 seconds. The default is 3 seconds. 

To set the TACACS/TACACS+ dead-time value: 

HP9300 (conf ig) # tacacs-server dead-time 5 

Syntax: tacacs-server dead-time <number> 

Setting the Timeout Parameter 

The timeout parameter specifies how many seconds the HP device waits for a response from the TACACS/ 
TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ 
server is unavailable and moving on to the next authentication method in the authentication-method list. The 
timeout can be from 1-15 seconds. The default is 3 seconds. 

HP9300 (conf ig) # tacacs-server timeout 5 

Syntax: tacacs-server timeout <number> 

Configuring Authentication-Method Lists for TACACS/TACACS+ 

You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and 
CONFIG levels of the CLI. When configuring TACACSATACACS+ authentication, you create authentication- 
method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication 
method. 

Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and 
up to six backup authentication methods are specified as alternates. If TACACSATACACS+ authentication fails 
due to an error, the device tries the backup authentication methods in the order they appear in the list. 
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When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a 
separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and 
CONFIG levels of the CLI. 

To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method 
for securing Telnet/SSH access to the CLI: 

HP9300 (conf ig) # enable telnet authentication 

HP9300 (conf ig) # aaa authentication login default tacacs local 

The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/ 
SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is 
performed using local user accounts instead. 

To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method 
for securing access to Privileged EXEC level and CONFIG levels of the CLI: 

HP9300 (conf ig) # aaa authentication enable default tacacs local none 

The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to 
Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error 
with the server, local authentication is used instead. If local authentication fails, no authentication is used; the 
device automatically permits access. 

Syntax: [no] aaa authentication enable I login default <method1> [<method2>] [<method3>] [<method4>] 
[<method5>] [<method6>] [<method7>] 

The web-server I enable I login parameter specifies the type of access this authentication-method list controls. 
You can configure one authentication-method list for each type of access. 



NOTE: If you configure authentication for Web management access, authentication is performed each time a 
page is requested from the server. When frames are enabled on the Web management interface, the browser 
sends an HTTP request for each frame. The HP device authenticates each HTTP request from the browser. To 
limit authentications to one per page, disable frames on the Web management interface. 



The <method1> parameter specifies the primary authentication method. The remaining optional <method> 
parameters specify additional methods to try if an error occurs with the primary method. A method can be one of 
the values listed in the Method Parameter column in the following table. 



Table 3.2: Authentication Method Values 



Method Parameter 


Description 


line 


Authenticate using the password you configured for Telnet access. The 
Telnet password is configured using the enable telnet password... 
command. See "Setting a Telnet Password" on page 3-8. 


enable 


Authenticate using the password you configured for the Super User 
privilege level. This password is configured using the enable super- 
user-password... command. See "Setting Passwords for Management 
Privilege Levels" on page 3-9. 


local 


Authenticate using a local user name and password you configured on 
the device. Local user names and passwords are configured using the 
username... command. See "Configuring a Local User Account" on 
page 3-11. 


tacacs 


Authenticate using the database on a TACACS server. You also must 
identify the server to the device using the tacacs-server command. 


tacacs+ 


Authenticate using the database on a TACACS+ server. You also must 
identify the server to the device using the tacacs-server command. 
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Table 3.2: Authentication Method Values (Continued) 



Method Parameter 


Description 


radius 


Authenticate using the database on a RADIUS server. You also must 
identify the server to the device using the radius-server command. 


none 


Do not use any authentication method. The device automatically 
permits access. 



NOTE: For examples of how to define authentication-method lists for types of authentication other than 
TACACS/TACACS+, see "Configuring Authentication-Method Lists" on page 3-44. 



Configuring TACACS+ Authorization 

HP devices support TACACS+ authorization for controlling access to management functions in the CLI. Two 
kinds of TACACS+ authorization are supported: 

Exec authorization determines a user's privilege level when they are authenticated 

Command authorization consults a TACACS+ server to get authorization for commands entered by the user 
Configuring Exec Authorization 

When TACACS+ exec authorization is performed, the HP device consults a TACACS+ server to determine the 
privilege level of the authenticated user. To configure TACACS+ exec authorization on the HP device, enter the 
following command: 

HP9300 (conf ig) # aaa authorization exec default tacacs+ 
Syntax: aaa authorization exec default tacacs+ I none 
Configuring an Attribute-Value Pair on the TACACS+ Server 

During TACACS+ exec authorization, the TACACS+ server sends the HP device a response containing an A-V 
(Attribute-Value) pair that specifies the privilege level of the user. When it receives the response, the HP device 
extracts the first A-V pair configured for the Exec service and uses it to determine the user's privilege level. 

To set a user's privilege level, you configure an A-V pair for the Exec service on the TACACS+ server that specifies 
the user's privilege level. For example: 

user=bob { 

default service = permit 
member admin 
# Global password 
global = cleartext "cat" 
service = exec { 
privlvl = 0 

} 

} 

In this example, the first A-V pair configured for the Exec service is privlvl = o, which grants the user full read- 
write access. The Attribute name in the A-V pair is not significant. The Value must be an integer (0, 4, or 5) that 
indicates the privilege level of the user. When no privilege level is specified, the default privilege level of 5 (read- 
only) is used. The A-V pair can also be embedded in the group configuration for the user. See your TACACS+ 
documentation for the configuration syntax relevant to your server. 

Configuring Command Authorization 

When TACACS+ command authorization is enabled, the HP device consults a TACACS+ server to get 
authorization for commands entered by the user. 
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You enable TACACS+ command authorization by specifying a privilege level whose commands require 
authorization. For example, to configure the HP device to perform authorization for the commands available at the 
Super User privilege level (that is, all commands on the device), enter the following command: 

HP9300 (conf ig) # aaa authorization commands 0 default tacacs+ 

Syntax: aaa authorization commands <privilege-level> default tacacs+ I radius I none 

The <privilege-level> parameter can be one of the following: 

• 0 - Authorization is performed for commands available at the Super User level (all commands) 

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and read- 
only commands) 

5 - Authorization is performed for commands available at the Read Only level (read-only commands) 

NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH 
sessions. No authorization is performed for commands entered at the console or the Web management interface. 



Configuring TACACS+ Accounting 

HP devices support TACACS+ accounting for recording information about user activity and system events. When 
you configure TACACS+ accounting on an HP device, information is sent to a TACACS+ accounting server when 
specified events occur, such as when a user logs into the device or the system is rebooted. 

Configuring TACACS+ Accounting for Telnet/SSH (Shell) Access 

To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a 
Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out: 

HP9300 (conf ig) # aaa accounting exec default start-stop tacacs+ 

Syntax: aaa accounting exec default start-stop radius I tacacs+ I none 

Configuring TACACS+ Accounting for CLI Commands 

You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands 
require accounting. For example, to configure the HP device to perform TACACS+ accounting for the commands 
available at the Super User privilege level (that is; all commands on the device), enter the following command: 

HP9300 (conf ig) # aaa accounting commands 0 default start-stop tacacs+ 

An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an 
Accounting Stop packet is sent when the service provided by the command is completed. 

NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed 
before accounting takes place. If authorization fails for the command, no accounting takes place. 

Syntax: aaa accounting commands <privilege-level> default start-stop radius I tacacs+ I none 
The <privilege-level> parameter can be one of the following: 

0 - Records commands available at the Super User level (all commands) 

4 - Records commands available at the Port Configuration level (port-config and read-only commands) 

5 - Records commands available at the Read Only level (read-only commands) 
Configuring TACACS+ Accounting for System Events 

You can configure TACACS+ accounting to record when system events occur on the HP device. System events 
include rebooting and when changes to the active configuration are made. 

The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a 
system event occurs, and a Accounting Stop packet to be sent when the system event is completed: 
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HP9300 (conf ig) # aaa accounting system default start-stop tacacs+ 
Syntax: aaa accounting system default start-stop radius I tacacs+ I none 

Configuring an Interface as the Source for All TACACS/TACACS+ Packets 

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual 
interface as the source IP address for all TACACS/TACACS+ packets from the routing switch. Identifying a single 
source IP address for TACACS/TACACS+ packets provides the following benefits: 

• If your TACACS/TACACS+ server is configured to accept packets only from specific links or IP addresses, 
you can use this feature to simplify configuration of the TACACS/TACACS+ server by configuring the HP 
device to always send the TACACS/TACACS+ packets from the same link or source address. 

If you specify a loopback interface as the single source for TACACS/TACACS+ packets, TACACS/TACACS+ 
servers can receive the packets regardless of the states of individual links. Thus, if a link to the TACACS/ 
TACACS+ server becomes unavailable but the client or server can be reached through another link, the client 
or server still receives the packets, and the packets still have the source IP address of the loopback interface. 

The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+, 
and RADIUS packets. You can configure a source interface for one or more of these types of packets. 

To specify an Ethernet port or a loopback or virtual interface as the source for all TACACS/TACACS+ packets from 
the device, use the following CLI method. The software uses the lowest-numbered IP address configured on the 
port or interface as the source IP address for TACACSATACACS+ packets originated by the device. 

To specify the lowest-numbered IP address configured on a virtual interface as the device's source for all 
TACACS/TACACS+ packets, enter commands such as the following: 

HP9300 (conf ig) # int ve 1 

HP9300 (conf ig-vif -1) # ip address 10.0.0.3/24 
HP9300 (conf ig-vif -1) # exit 

HP9300 (conf ig) # ip tacacs source-interface ve 1 

The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then 
designate the interface as the source for all TACACS/TACACS+ packets from the routing switch. 

Syntax: ip tacacs source-interface ethernet <portnum> I loopback <num> I ve <num> 

The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the 
<portnum> is the port's number (including the slot number, if you are configuring a chassis device). 

Displaying TACACS/TACACS+ Statistics and Configuration Information 

The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device. 
For example: 

HP9300# show aaa 

Tacacs+ key: whistle 

Tacacs+ retries: 1 

Tacacs+ timeout: 15 seconds 

Tacacs+ dead-time: 3 minutes 

Tacacs+ Server: 207.95.6.90 Port: 49: 

opens=6 closes=3 timeouts=3 errors=0 

packets in=4 packets out=4 

no connection 

Radius key: networks 
Radius retries: 3 
Radius timeout : 3 seconds 
Radius dead-time: 3 minutes 

Radius Server: 207.95.6.90 Auth Port=1645 Acct Port=1646: 
opens=2 closes=l timeouts=l errors=0 
packets in=l packets out=4 

no connection 
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The following table describes the TACACS/TACACS+ information displayed by the show aaa command. 
Table 3.3: Output of the show aaa command for TACACS/TACACS+ 



Field 


Description 


Tacacs+ key 


The setting configured with the tacacs-server key command. At the Super User 
privilege level, the actual text of the key is displayed. At the other privilege levels, a 
string of periods (....) is displayed instead of the text. 


Tacacs+ retries 


The setting configured with the tacacs-server retransmit command. 


Tacacs+ timeout 


The setting configured with the tacacs-server timeout command. 


Tacacs+ dead-time 


The setting configured with the tacacs-server dead-time command. 


Tacacs+ Server 


For each TACACS/TACACS+ server, the IP address, port, and the following 
statistics are displayed: 

opens Numuer ot Times me pon was opened tot communicaiion wun me 
server 

closes Number of times the port was closed normally 
timeouts Number of times port was closed due to a timeout 
errors Number of times an error occurred while opening the port 
packets in Number of packets received from the server 
packets out Number of packets sent to the server 


connection 


The current connection status. This can be "no connection" or "connection active". 



The show web command displays the privilege level of Web management interface users. For example: 

HP6208 (conf ig) #show web 

User Privilege IP address 

set 0 192.168.1.234 

Syntax: show web 

USING THE WEB MANAGEMENT INTERFACE 

To configure TACACS/TACACS+ using the Web management interface: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. If you configuring TACACSATACACS+ authentication for Telnet access to the CLI, go to step 3. Otherwise, go 
to step 7. 

3. Select the Management link to display the Management configuration panel. 

4. Select Enable next to Telnet Authentication. You must enable Telnet authentication if you want to use 
TACACS/TACACS+ or RADIUS to authenticate Telnet access to the device. 

5. Click Apply to apply the change. 

6. Select the Home link to return to the System configuration panel. 

7. Select the TACACS link from the System configuration panel to display the TACACS panel. 

8. If needed, change the Authentication port and Accounting port. (The default values work in most networks.) 

9. Enter the key if applicable. 
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NOTE: The key parameter applies only to TACACS+ servers, not to TACACS servers. If you are configuring 
for TACACS authentication, do not configure a key on the TACACS server and do not enter a key on the HP 
device. 

10. Click Apply if you changed any TACACSATACACS+ parameters. 

11. Select the TACACS Server link. 

• If any TACACS/TACACS+ servers are already configured on the device, the servers are listed in a table. 
Select the Add TACACS Server link to display the following panel. 

• If the device does not have any TACACS servers configured, the following panel is displayed. 



TACACS Server 



IP Address: 


|o. 0.0.0 


Auth UDP Port: 





Add | Delete | Reset | 



fShowl 

[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

12. Enter the server's IP address in the IP Address field. 

13. If needed, change the Authentication port and Accounting port. (The default values work in most networks.) 

1 4. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog. 
Select Yes when prompted to save the configuration change to the startup-config file on the device's flash 
memory. 

15. Select the Management link to display the Management panel. 

16. Select the Authentication Methods link to display the Login Authentication Sequence panel, as shown in the 
following example. 

Login 
Authentication 
Sequence 



S e quenc e | Metho dj 



Authentication Method 

Type: ] Login ^] Show Sequence 



r 


Enable 


if 


Radius 


r 


Line 


r 


Local 


r 


TACACS+ 


r 


TACACS 


r 


None 



Add | Delete | 

[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 
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17. Select the type of access for which you are defining the authentication method list from the Type field's 
pulldown menu. Each type of access must have a separate authentication-method list. For example, to 
define the authentication-method list for logging into the CLI, select Login. 

18. Select the primary authentication method by clicking on the radio button next to the method. For example, to 
use a TACACS+ server as the primary means of authentication for logging on to the CLI, select TACACS+. 

19. Click the Add button to save the change to the device's running-config file. 

The access type and authentication method you selected are displayed in the table at the top of the dialog. 
Each time you add an authentication method for a given access type, the software assigns a sequence 
number to the entry. When the user tries to log in using the access type you selected, the software tries the 
authentication sources in ascending sequence order until the access request is either approved or denied. 
Each time you add an entry for a given access type, the software increments the sequence number. Thus, if 
you want to use multiple authentication methods, make sure you enter the primary authentication method 
first, the secondary authentication method second, and so on. 

If you need to delete an entry, select the access type and authentication method for the entry, then click 
Delete. 

20. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog. 
Select Yes when prompted to save the configuration change to the startup-config file on the device's flash 
memory. 

21 . To configure TACACS+ authorization, select the Management link to display the Management panel and 
select the Authorization Methods link to display the Authorization Method panel, as shown in the following 
example. 



BB3BH 

Authorization Method 
Type: | Commands Show Sequence j 

| Command Level: | f Q 0 4 O j| 

® Radius 
C TACACS+ 
C None 

Add | Delete | 
[Home] [Site Ma.nl [Logout] [Save] [Frame Enable | Dis able] [TELNET] 

22. To configure TACACS+ exec authorization, select Exec from the Type field's pulldown menu. 

23. To configure TACACS+ command authorization, select Commands from the Type field's pulldown menu and 
select a privilege level by clicking on one of the following radio buttons: 

• 0 - Authorization is performed for commands available at the Super User level (all commands) 

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and 
read-only commands) 

• 5 - Authorization is performed for commands available at the Read Only level (read-only commands) 

NOTE: TACACS+ command authorization is performed only for commands entered from Telnet or SSH 
sessions. No authorization is performed for commands entered at the console or the Web management 
interface. 

24. Click on the radio button next to TACACS+. 

25. Click the Add button to save the change to the device's running-config file. 
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The authorization method you selected are displayed in the table at the top of the dialog. Each time you add 
an authorization method for a given access type, the software assigns a sequence number to the entry. 
When authorization is performed, the software tries the authorization sources in ascending sequence order 
until the request is either approved or denied. Each time you add an entry for a given access type, the 
software increments the sequence number. Thus, if you want to use multiple authentication methods, make 
sure you enter the primary authentication method first, the secondary authentication method second, and so 
on. 

If you need to delete an entry, select the access type and authorization method for the entry, then click Delete. 

26. To configure TACACS+ accounting, select the Management link to display the Management panel and select 
the Accounting Methods link to display the Accounting Method panel, as shown in the following example. 




Accounting Method 



Commands T | 


Show Sequence | 


| Coituttaitd Level: 


0 0 O 4 O 5 





S RacUus 
C TACACS+ 
(~ None 



Add Delete 



[Home! [Site Ma.BirLogoutlfSa.vel [Frame EtiablelDis able! [TELNET! 



27. To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user 
establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs 
out, select Exec from the Type field's pulldown menu. 

28. To configure TACACS+ accounting for CLI commands, select Commands from the Type field's pulldown 
menu and select a privilege level by clicking on one of the following radio buttons: 

• 0 - Records commands available at the Super User level (all commands) 

• 4 - Records commands available at the Port Configuration level (port-config and read-only commands) 

• 5 - Records commands available at the Read Only level (read-only commands) 

29. To configure TACACS+ accounting to record when system events occur on the HP device, select System 
from the Type field's pulldown menu. 

30. Click on the radio button next to TACACS+. 

31 . Click the Add button to save the change to the device's running-config file. 

The accounting method you selected are displayed in the table at the top of the dialog. Each time you add an 
accounting method for a given access type, the software assigns a sequence number to the entry. When 
accounting is performed, the software tries the accounting sources in ascending sequence order until the 
request is either approved or denied. Each time you add an entry for a given access type, the software 
increments the sequence number. Thus, if you want to use multiple accounting methods, make sure you 
enter the primary accounting method first, the secondary accounting method second, and so on. 

If you need to delete an entry, select the access type and accounting method for the entry, then click Delete. 

32. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 
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Configuring RADIUS Security 

You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of 
access to the HP switch or routing switch: 

• Telnet access 

• SSH access 

• Web management access 

Access to the Privileged EXEC level and CONFIG levels of the CLI 

RADIUS Authentication, Authorization, and Accounting 

When RADIUS authentication is implemented, the HP device consults a RADIUS server to verify user names 
and passwords. You can optionally configure RADIUS authorization, in which the HP device consults a list of 
commands supplied by the RADIUS server to determine whether a user can execute a command he or she has 
entered, as well as accounting, which causes the HP device to log information on a RADIUS accounting server 
when specified events occur on the device. 



NOTE: In releases prior to 07.1 .10, a user logging into the device via Telnet or SSH would first enter the User 
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level. 

Starting with release 07.1.10, a user that is successfully authenticated by a RADIUS orTACACS+ server is 
automatically placed at the Privileged EXEC level after login. 

RADIUS Authentication 

When RADIUS authentication takes place, the following events occur: 

1 . A user attempts to gain access to the HP device by doing one of the following: 

• Logging into the device using Telnet, SSH, or the Web management interface 
Entering the Privileged EXEC level or CONFIG level of the CLI 

2. The user is prompted for a username and password. 

3. The user enters a username and password. 

4. The HP device sends a RADIUS Access-Request packet containing the username and password to the 
RADIUS server. 

5. The RADIUS server validates the HP device using a shared secret (the RADIUS key). 

6. The RADIUS server looks up the username in its database. 

7. If the username is found in the database, the RADIUS server validates the password. 

8. If the password is valid, the RADIUS server sends an Access-Accept packet to the HP device, authenticating 
the user. Within the Access-Accept packet are three HP vendor-specific attributes that indicate: 

• The privilege level of the user 

• A list of commands 

• Whether the user is allowed or denied usage of the commands in the list 
The last two attributes are used with RADIUS authorization, if configured. 

9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on 
the HP device. The user is granted the specified privilege level. If you configure RADIUS authorization, the 
user is allowed or denied usage of the commands in the list. 
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RADIUS Authorization 

When RADIUS authorization takes place, the following events occur: 

1 . A user previously authenticated by a RADIUS server enters a command on the HP device. 

2. The HP device looks at its configuration to see if the command is at a privilege level that requires RADIUS 
command authorization. 

3. If the command belongs to a privilege level that requires authorization, the HP device looks at the list of 
commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along 
with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of 
the commands in the list.) 



NOTE: After RADIUS authentication takes place, the command list resides on the HP device. The RADIUS 
server is not consulted again once the user has been authenticated. This means that any changes made to 
the user's command list on the RADIUS server are not reflected until the next time the user is authenticated 
by the RADIUS server, and the new command list is sent to the HP device. 

4. If the command list indicates that the user is authorized to use the command, the command is executed. 

RADIUS Accounting 

RADIUS accounting works as follows: 

1 . One of the following events occur on the HP device: 

• A user logs into the management interface using Telnet or SSH 

• A user enters a command for which accounting has been configured 

A system event occurs, such as a reboot or reloading of the configuration file 

2. The HP device checks its configuration to see if the event is one for which RADIUS accounting is required. 

3. If the event requires RADIUS accounting, the HP device sends a RADIUS Accounting Start packet to the 
RADIUS accounting server, containing information about the event. 

4. The RADIUS accounting server acknowledges the Accounting Start packet. 

5. The RADIUS accounting server records information about the event. 

6. When the event is concluded, the HP device sends an Accounting Stop packet to the RADIUS accounting 
server. 

7. The RADIUS accounting server acknowledges the Accounting Stop packet. 
AAA Operations for RADIUS 

The following table lists the sequence of authentication, authorization, and accounting operations that take place 
when a user gains access to an HP device that has RADIUS security configured. 



User Action 


Applicable AAA Operations 


User attempts to gain access to the 
Privileged EXEC and CONFIG levels of 
the CLI 


Enable authentication: 

aaa authentication enable default <method-list> 




System accounting start: 

aaa accounting system default start-stop <method-list> 
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User Action 


Applicable AAA Operations 


User logs in using Telnet/SSH 


Login authentication: 

aaa authentication login default <method-list> 


EXEC accounting Start: 

aaa accounting exec default start-stop <method-list> 
System accounting Start: 

aaa accounting system default start-stop <method-list> 


User logs into the Web management 
interface 


Web authentication: 

aaa authentication web-server default <method-list> 


User logs out of Telnet/SSH session 


Command authorization for logout command: 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting: 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

EXEC accounting stop: 

aaa accounting exec default start-stop <method-list> 


User enters system commands 
(for example, reload, boot system) 


Command authorization: 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting: 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

System accounting stop: 

aaa accounting system default start-stop <method-list> 


User enters the command: 

[no] aaa accounting system default 
start-stop <method-list> 


Command authorization: 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting: 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 

System accounting start: 

aaa accounting system default start-stop <method-list> 


User enters other commands 


Command authorization: 

aaa authorization commands <privilege-level> default <method-list> 


Command accounting: 

aaa accounting commands <privilege-level> default start-stop 
<method-list> 
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RADIUS Configuration Considerations 

• You must deploy at least one RADIUS server in your network. 

• HP devices support authentication using up to eight RADIUS servers. The device tries to use the servers in 
the order you add them to the device's configuration. If one RADIUS server is not responding, the HP device 
tries the next one in the list. 

You can select only one primary authentication method for each type of access to a device (CLI through 
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary 
authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the 
primary method for the same type of access. However, you can configure backup authentication methods for 
each access type. 

RADIUS Configuration Procedure 

Use the following procedure to configure an HP device for RADIUS: 

1 . Configure HP vendor-specific attributes on the RADIUS server. See "Configuring HP-Specific Attributes on 
the RADIUS Server" on page 3-34. 

2. Identify the RADIUS server to the HP device. See "Identifying the RADIUS Server to the HP Device" on 
page 3-35. 

3. Set RADIUS parameters. See "Setting RADIUS Parameters" on page 3-36. 

4. Configure authentication-method lists. See "Configuring Authentication-Method Lists for RADIUS" on page 3- 
36. 

5. Optionally configure RADIUS authorization. See "Configuring RADIUS Authorization" on page 3-38. 

6. Optionally configure RADIUS accounting. "Configuring RADIUS Accounting" on page 3-38. 

Configuring HP-Specific Attributes on the RADIUS Server 

During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server 
sends an Access-Accept packet to the HP device, authenticating the user. Within the Access-Accept packet are 
three HP vendor-specific attributes that indicate: 

• The privilege level of the user 

• A list of commands 

• Whether the user is allowed or denied usage of the commands in the list 

You must add these three HP vendor-specific attributes to your RADIUS server's configuration, and configure the 
attributes in the individual or group profiles of the users that will access the HP device. 
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HP's Vendor-ID is 11 , with Vendor-Type 1 . The following table describes the HP vendor-specific attributes. 



Table 3.4: HP vendor-specific attributes for RADIUS 



Attribute Name 


Attribute ID 


Data Type 


Description 


hp-privilege-level 


1 


integer 


Specifies the privilege level for the user. 
This attribute can be set to one of the 
following: 

0 Super User level - Allows complete 
read-and-write access to the system. 
This is generally for system 
administrators and is the only 
management privilege level that 
allows you to configure passwords. 

4 Port Configuration level - Allows read- 
and-write access for specific ports but 
not for global (system-wide) 
parameters. 

5 Read Only level - Allows access to 
the Privileged EXEC mode and 
CONFIG mode of the CLI but only 
with read access. 


hp-command-string 


2 


string 


Specifies a list of CLI commands that are 
permitted or denied to the user when 
RADIUS authorization is configured. 

The commands are delimited by semi- 
colons (;). You can specify an asterisk (*) 
as a wildcard at the end of a command 
string. 

For example, the following command list 
specifies all show and debug ip 
commands, as well as the write terminal 

command: 

show *; debug ip *; write term* 


hp-command-exception-flag 


3 


integer 


Specifies whether the commands indicated 
by the hp-command-string attribute are 
permitted or denied to the user. This 
attribute can be set to one of the following: 

0 Permit execution of the commands 
indicated by hp-command-string, deny 
all other commands. 

1 Deny execution of the commands 
indicated by hp-command-string, 
permit all other commands. 



Identifying the RADIUS Server to the HP Device 

To use a RADIUS server to authenticate access to an HP device, you must identify the server to the HP device. 
For example: 

HP9300 (conf ig) # radius-server host 209.157.22.99 

Syntax: radius-server host <ip-addr> I <server-name> [auth-port <number> acct-port <number>] 
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The host <ip-addr> I <server-name> parameter is either an IP address or an ASCII text string. 

The <auth-port> parameter is the Authentication port number; it is an optional parameter. The default is 1645. 

The <acct-port> parameter is the Accounting port number; it is an optional parameter. The default is 1646. 

Setting RADIUS Parameters 

You can set the following parameters in a RADIUS configuration: 

• RADIUS key - This parameter specifies the value that the HP device sends to the RADIUS server when 
trying to authenticate user access. 

• Retransmit interval - This parameter specifies how many times the HP device will resend an authentication 
request when the RADIUS server does not respond. The retransmit value can be from 1 - 5 times. The 
default is 3 times. 

• Timeout - This parameter specifies how many seconds the HP device waits for a response from a RADIUS 
server before either retrying the authentication request, or determining that the RADIUS servers are 
unavailable and moving on to the next authentication method in the authentication-method list. The timeout 
can be from 1 - 15 seconds. The default is 3 seconds. 

Setting the RADIUS Key 

The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over 
the network. The value for the key parameter on the HP device should match the one configured on the RADIUS 
server. The key can be from 1 - 32 characters in length. 

To specify a RADIUS server key: 

HP9300 (conf ig) # radius-server key mirabeau 
Syntax: radius-server key <key-string> 
Setting the Retransmission Limit 

The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication 
request times out, the HP software will retransmit the request up to the maximum number of retransmissions 
configured. The default retransmit value is 3 retries. The range of retransmit values is from 1 - 5. 

To set the RADIUS retransmit limit: 

HP9300 (conf ig) # radius-server retransmit 5 
Syntax: radius-server retransmit <number> 
Setting the Timeout Parameter 

The timeout parameter specifies how many seconds the HP device waits for a response from the RADIUS server 
before either retrying the authentication request, or determining that the RADIUS server is unavailable and moving 
on to the next authentication method in the authentication-method list. The timeout can be from 1-15 seconds. 
The default is 3 seconds. 

HP9300 (conf ig) # radius-server timeout 5 
Syntax: radius-server timeout <number> 

Configuring Authentication-Method Lists for RADIUS 

You can use RADIUS to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels 
of the CLI. When configuring RADIUS authentication, you create authentication-method lists specifically for these 
access methods, specifying RADIUS as the primary authentication method. 

Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six 
backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the 
device tries the backup authentication methods in the order they appear in the list. 
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When you configure authentication-method lists for RADIUS, you must create a separate authentication-method 
list for Telnet or SSH CLI access and for CLI access to the Privileged EXEC level and CONFIG levels of the CLI. 

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing 
Telnet access to the CLI: 

HP9300 (conf ig) # enable telnet authentication 

HP9300 (conf ig) # aaa authentication login default radius local 

The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the 
CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. 

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing 
access to Privileged EXEC level and CONFIG levels of the CLI: 

HP9300 (conf ig) # aaa authentication enable default radius local none 

The command above causes RADIUS to be the primary authentication method for securing access to Privileged 
EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local 
authentication is used instead. If local authentication fails, no authentication is used; the device automatically 
permits access. 

Syntax: [no] aaa authentication enable I login default <method1> [<method2>] [<method3>] [<method4>] 
[<method5>] [<method6>] [<method7>] 

The web-server I enable I login parameter specifies the type of access this authentication-method list controls. 
You can configure one authentication-method list for each type of access. 



NOTE: If you configure authentication for Web management access, authentication is performed each time a 
page is requested from the server. When frames are enabled on the Web management interface, the browser 
sends an HTTP request for each frame. The HP device authenticates each HTTP request from the browser. To 
limit authentications to one per page, disable frames on the Web management interface. 



The <method1> parameter specifies the primary authentication method. The remaining optional <method> 
parameters specify additional methods to try if an error occurs with the primary method. A method can be one of 
the values listed in the Method Parameter column in the following table. 



Table 3.5: Authentication Method Values 



Method Parameter 


Description 


line 


Authenticate using the password you configured for Telnet access. The 
Telnet password is configured using the enable telnet password... 
command. See "Setting a Telnet Password" on page 3-8. 


enable 


Authenticate using the password you configured for the Super User 
privilege level. This password is configured using the enable super- 
user-password... command. See "Setting Passwords for Management 
Privilege Levels" on page 3-9. 


local 


Authenticate using a local user name and password you configured on 
the device. Local user names and passwords are configured using the 
username... command. See "Configuring a Local User Account" on 
page 3-11 . 


tacacs 


Authenticate using the database on a TACACS server. You also must 
identify the server to the device using the tacacs-server command. 


tacacs+ 


Authenticate using the database on a TACACS+ server. You also must 
identify the server to the device using the tacacs-server command. 


radius 


Authenticate using the database on a RADIUS server. You also must 
identify the server to the device using the radius-server command. 
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Table 3.5: Authentication Method Values (Continued) 



Method Parameter 


Description 


none 


Do not use any authentication method. The device automatically 
permits access. 



NOTE: For examples of how to define authentication-method lists for types of authentication other than RADIUS, 
see "Configuring Authentication-Method Lists" on page 3-44. 



Configuring RADIUS Authorization 

HP devices support RADIUS authorization for controlling access to management functions in the CLI. When 
RADIUS authorization is enabled, the HP device consults the list of commands supplied by the RADIUS server 
during authentication to determine whether a user can execute a command he or she has entered. 

You enable RADIUS authorization by specifying a privilege level whose commands require authorization. For 
example, to configure the HP device to perform authorization for the commands available at the Super User 
privilege level (that is; all commands on the device), enter the following command: 

HP9300 (conf ig) # aaa authorization commands 0 default radius 

Syntax: aaa authorization commands <privilege-level> default radius I tacacs+ I none 

The <privilege-level> parameter can be one of the following: 

• 0 - Authorization is performed (that is, the HP device looks at the command list) for commands available at 
the Super User level (all commands) 

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and read- 
only commands) 

5 - Authorization is performed for commands available at the Read Only level (read-only commands) 



NOTE: RADIUS authorization is performed only for commands entered from Telnet or SSH sessions. No 
authorization is performed for commands entered at the console or the Web management interface. 



NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during 
authentication, you cannot perform RADIUS authorization without RADIUS authentication. 



NOTE: A user's privilege level is set during RADIUS authentication, not with an aaa authorization command. 
The command aaa authorization exec default radius is ignored by the system. 



Configuring RADIUS Accounting 

HP devices support RADIUS accounting for recording information about user activity and system events. When 
you configure RADIUS accounting on an HP device, information is sent to a RADIUS accounting server when 
specified events occur, such as when a user logs into the device or the system is rebooted. 

Configuring RADIUS Accounting for Telnet/SSH (Shell) Access 

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a 
Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out: 

HP9300 (conf ig) # aaa accounting exec default start-stop radius 

Syntax: aaa accounting exec default start-stop radius I tacacs+ I none 
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Configuring RADIUS Accounting for CLI Commands 

You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands 
require accounting. For example, to configure the HP device to perform RADIUS accounting for the commands 
available at the Super User privilege level (that is; all commands on the device), enter the following command: 

HP9300 (conf ig) # aaa accounting commands 0 default start-stop radius 

An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command, and an 
Accounting Stop packet is sent when the service provided by the command is completed. 



NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed 
before accounting takes place. If authorization fails for the command, no accounting takes place. 



Syntax: aaa accounting commands <privilege-level> default start-stop radius I tacacs I none 
The <privilege-level> parameter can be one of the following: 

• 0 - Records commands available at the Super User level (all commands) 

• 4 - Records commands available at the Port Configuration level (port-config and read-only commands) 
5 - Records commands available at the Read Only level (read-only commands) 

Configuring RADIUS Accounting for System Events 

You can configure RADIUS accounting to record when system events occur on the HP device. System events 
include rebooting and when changes to the active configuration are made. 

The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a 
system event occurs, and a Accounting Stop packet to be sent when the system event is completed: 

HP9300 (conf ig) # aaa accounting system default start-stop radius 

Syntax: aaa accounting system default start-stop radius I tacacs+ I none 

Configuring an Interface as the Source for All RADIUS Packets 

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual 
interface as the source IP address for all RADIUS packets from the routing switch. Identifying a single source IP 
address for RADIUS packets provides the following benefits: 

• If your RADIUS server is configured to accept packets only from specific links or IP addresses, you can use 
this feature to simplify configuration of the RADIUS server by configuring the HP device to always send the 
RADIUS packets from the same link or source address. 

• If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the 
packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable 
but the client or server can be reached through another link, the client or server still receives the packets, and 
the packets still have the source IP address of the loopback interface. 

The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+, 
and RADIUS packets. You can configure a source interface for one or more of these types of packets. 

To specify an Ethernet port or a loopback or virtual interface as the source for all RADIUS packets from the device, 
use the following CLI method. The software uses the lowest-numbered IP address configured on the port or 
interface as the source IP address for RADIUS packets originated by the device. 

To specify the lowest-numbered IP address configured on a virtual interface as the device's source for all RADIUS 
packets, enter commands such as the following: 

HP9300 (conf ig) # int ve 1 

HP9300 (conf ig-vif -1) # ip address 10.0.0.3/24 
HP9300 (conf ig-vif -1) # exit 

HP9300 (conf ig) # ip radius source- interface ve 1 
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The commands in this example configure virtual interface 1 , assign IP address 10.0.0.3/24 to the interface, then 
designate the interface as the source for all RADIUS packets from the routing switch. 

Syntax: ip radius source-interface ethernet <portnum> I loopback <num> I ve <num> 

The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the 
<portnum> is the port's number (including the slot number, if you are configuring a chassis device). 



Displaying RADIUS Configuration Information 

The show aaa command displays information about all TACACS/TACACS+ and RADIUS servers identified on the 
device. For example: 

HP9300# show aaa 

Tacacs+ key: whistle 

Tacacs+ retries : 1 

Tacacs+ timeout: 15 seconds 

Tacacs+ dead-time: 3 minutes 

Tacacs+ Server: 207.95.6.90 Port: 49: 

opens =6 closes=3 timeouts=3 errors=0 

packe ts in=4 packets out=4 

no connection 

Radius key: networks 
Radius retries: 3 
Radius timeout : 3 seconds 
Radius dead-time: 3 minutes 

Radius Server: 207.95.6.90 Auth Port=1645 Acct Port=1646: 

opens =2 closes=l timeouts=l errors=0 

packe ts in=l packets out=4 

no connection 

The following table describes the RADIUS information displayed by the show aaa command. 

Table 3.6: Output of the show aaa command for RADIUS 



Field 



Description 



Radius key 



The setting configured with the radius-server key command. At the Super User 
privilege level, the actual text of the key is displayed. At the other privilege levels, a 
string of periods (....) is displayed instead of the text. 



Radius retries 



The setting configured with the radius-server retransmit command. 



Radius timeout 



The setting configured with the radius-server timeout command. 



Radius dead-time 



The setting configured with the radius-server dead-time command. 



Radius Server 



For each RADIUS server, the IP address, and the following statistics are displayed: 
Auth Port RADIUS authentication port number (default 1645) 
Acct Port RADIUS accounting port number (default 1646) 



opens 


Number 




server 


closes 


Number 


timeouts 


Number 


errors 


Number 


packets in 


Number 


packets out 


Number 
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Table 3.6: Output of the show aaa command for RADIUS 



Field 


Description 


connection 


The current connection status. This can be "no connection" or "connection active". 


The show web command displays the privilege level of Web management interface users. For example: 


HP6208 (conf ig) #show 


web 


User 
set 


Privi lege IP address 

0 192.168.1.234 


Syntax: show web 





USING THE WEB MANAGEMENT INTERFACE 

To configure RADIUS using the Web management interface: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. If you configuring RADIUS authentication for Telnet access to the CLI, go to step 3. Otherwise, go to step 7. 

3. Select the Management link to display the Management configuration panel. 

4. Select Enable next to Telnet Authentication. You must enable Telnet authentication if you want to use 
TACACS/TACACS+ or RADIUS to authenticate Telnet access to the device. 

5. Click Apply to apply the change. 

6. Select the Home link to return to the System configuration panel. 

7. Select the RADIUS link from the System configuration panel to display the RADIUS panel. 

8. Change the retransmit interval, time out, and dead time if needed. 

9. Enter the authentication key if applicable. 

10. Click Apply if you changed any RADIUS parameters. 

11. Select the RADIUS Server link. 

• If any RADIUS servers are already configured on the device, the servers are listed in a table. Select the 
Add RADIUS Server link to display the following panel. 

• If the device does not have any RADIUS servers configured, the following panel is displayed. 



RADIUS Server 



IF Address: 


209.157.22.63 






Auth UDP Port: 


1645 


Acct UDP Port: 


WW I 



Add Delete Reset 



[Show] 

[Home] [Bite M ap] [Lo gout] [B aye] [Frame Enable | Dis able] [TELNET] 
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12. Enter the server's IP address in the IP Address field. 

13. If needed, change the Authentication port and Accounting port. (The default values work in most networks.) 

14. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog. 
Select Yes when prompted to save the configuration change to the startup-config file on the device's flash 
memory. 

15. Select the Management link to display the Management panel. 

16. Select the Authentication Methods link to display the Login Authentication Sequence panel, as shown in the 
following example. 



Login 
Authentication 
Sequence 



S e quenc e | Metho d| 



Authentication Method 

Type: | Login ^] Show Sequence 



r 


Enable 


(• 


Radius 


r 


Line 


r 


Local 


r 


TACACS+ 


r 


TACACS 


r 


None 



Add | Delete | 

[Home 11 Site Map HLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

17. Select the type of access for which you are defining the authentication method list from the Type field's 
pulldown menu. Each type of access must have a separate authentication-method list. For example, to 
define the authentication-method list for logging into the CLI, select Login. 

18. Select the primary authentication method by clicking on the radio button next to the method. For example, to 
use a RADIUS server as the primary means of authentication for logging on to the CLI, select RADIUS. 

19. Click the Add button to save the change to the device's running-config file. 

The access type and authentication method you selected are displayed in the table at the top of the dialog. 
Each time you add an authentication method for a given access type, the software assigns a sequence 
number to the entry. When the user tries to log in using the access type you selected, the software tries the 
authentication sources in ascending sequence order until the access request is either approved or denied. 
Each time you add an entry for a given access type, the software increments the sequence number. Thus, if 
you want to use multiple authentication methods, make sure you enter the primary authentication method 
first, the secondary authentication method second, and so on. 

If you need to delete an entry, select the access type and authentication method for the entry, then click 
Delete. 

20. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog. 
Select Yes when prompted to save the configuration change to the startup-config file on the device's flash 
memory. 

21 . To configure RADIUS command authorization, select the Management link to display the Management panel 
and select the Authorization Methods link to display the Authorization Method panel, as shown in the 
following example. 
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IB3SSI 



Authorization Method 



(Commands T | 


Show Sequence 


| Coituttaitd Level: 


O 0 © 4 O 3 




© Radius 




C TACACS+ 




None 






Delete | 



[Home] [Site M ap] [Lo gout] [S ave] [Frame Enable | Dis able] [TELNET] 

22. Select Commands from the Type field's pulldown menu. 

23. Select a privilege level by clicking on one of the following radio buttons: 

• 0 - Authorization is performed for commands available at the Super User level (all commands) 

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and 
read-only commands) 

• 5 - Authorization is performed for commands available at the Read Only level (read-only commands) 



NOTE: RADIUS authorization is performed only for commands entered from Telnet or SSH sessions. No 
authorization is performed for commands entered at the console or the Web management interface. 



NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during 
authentication, you cannot perform RADIUS authorization without RADIUS authentication. 



NOTE: A user's privilege level is set during RADIUS authentication, not by configuring RADIUS Exec 
authorization. Selecting RADIUS Exec authorization on the Authorization Method panel is ignored by the 
system. 



24. Click on the radio button next to Radius. 

25. Click the Add button to save the change to the device's running-config file. 

The authorization method you selected are displayed in the table at the top of the dialog. Each time you add 
an authorization method for a given access type, the software assigns a sequence number to the entry. 
When authorization is performed, the software tries the authorization sources in ascending sequence order 
until the request is either approved or denied. Each time you add an entry for a given access type, the 
software increments the sequence number. Thus, if you want to use multiple authentication methods, make 
sure you enter the primary authentication method first, the secondary authentication method second, and so 
on. 

If you need to delete an entry, select the access type and authorization method for the entry, then click Delete. 

26. To configure RADIUS accounting, select the Management link to display the Management panel and select 
the Accounting Methods link to display the Accounting Method panel, as shown in the following example. 
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EBB 

Accounting Method 
Type: | Commands j^J Show Sequence j 



Command Level: I (T 0 <~ 4 <~ 3 



P Radius 
O TACACS+ 
(~ None 



Add Delete 



[Home! [Bite Mac! [Logout! [Save! [Frame EnablelDisablel[TELNETl 



27. To send an Accounting Start packet to the RADIUS accounting server when an authenticated user 
establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs 
out, select Exec from the Type field's pulldown menu. 

28. To configure RADIUS accounting for CLI commands, select Commands from the Type field's pulldown menu 
and select a privilege level by clicking on one of the following radio buttons: 

• 0 - Records commands available at the Super User level (all commands) 

• 4 - Records commands available at the Port Configuration level (port-config and read-only commands) 

• 5 - Records commands available at the Read Only level (read-only commands) 

29. To configure RADIUS accounting to record when system events occur on the HP device, select System from 
the Type field's pulldown menu. 

30. Click on the radio button next to Radius. 

31 . Click the Add button to save the change to the device's running-config file. 

The accounting method you selected are displayed in the table at the top of the dialog. Each time you add an 
accounting method for a given access type, the software assigns a sequence number to the entry. When 
accounting is performed, the software tries the accounting sources in ascending sequence order until the 
request is either approved or denied. Each time you add an entry for a given access type, the software 
increments the sequence number. Thus, if you want to use multiple accounting methods, make sure you 
enter the primary accounting method first, the secondary accounting method second, and so on. 

If you need to delete an entry, select the access type and accounting method for the entry, then click Delete. 

32. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Configuring Authentication-Method Lists 

To implement one or more authentication methods for securing access to the device, you configure authentication- 
method lists that set the order in which the authentication methods are consulted. 

In an authentication-method list, you specify the access method (Telnet, Web, SNMP, and so on) and the order in 
which the device tries one or more of the following authentication methods: 

• Local Telnet login password 

• Local password for the Super User privilege level 

• Local user accounts configured on the device 
Database on a TACACS or TACACS+ server 
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• Database on a RADIUS server 

• No authentication 



NOTE: The TACACSATACACS+, RADIUS, and Telnet login password authentication methods are not supported 
for SNMP access. 



NOTE: To authenticate Telnet access to the CLI, you also must enable the authentication by entering the 
enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet 
authentication using the Web management interface. 



NOTE: You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses. 
See "Using ACLs to Restrict Remote Access" on page 3-3 or "Restricting Remote Access to the Device to Specific 
IP Addresses" on page 3-5. 



In an authentication-method list for a particular access method, you can specify up to seven authentication 
methods. If the first authentication method is successful, the software grants access and stops the authentication 
process. If the access is rejected by the first authentication method, the software denies access and stops 
checking. 

However, if an error occurs with an authentication method, the software tries the next method on the list, and so 
on. For example, if the first authentication method is the RADIUS server, but the link to the server is down, the 
software will try the next authentication method in the list. 



NOTE: If an authentication method is working properly and the password (and user name, if applicable) is not 
known to that method, this is not an error. The authentication attempt stops, and the user is denied access. 



The software will continue this process until either the authentication method is passed or the software reaches 
the end of the method list. If the Super User level password is not rejected after all the access methods in the list 
have been tried, access is granted. 

Configuration Considerations for Authentication-Method Lists 

For CLI access, you must configure authentication-method lists if you want the device to authenticate access 
using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally 
based password for the Super User privilege level. 

• When no authentication-method list is configured specifically for Web management access, the device 
performs authentication using the SNMP community strings: 

For read-only access, you can use the user name "get" and the password "public". The default read-only 
community string is "public". 

• There is no default read-write community string. Thus, by default, you cannot open a read-write 
management session using the Web management interface. You first must configure a read-write 
community string using the CLI. Then you can log on using "set" as the user name and the read-write 
community string you configure as the password. See "Establishing SNMP Community Strings" on 
page 3-13. 

• If you configure an authentication-method list for Web management access and specify "local" as the primary 
authentication method, users who attempt to access the device using the Web management interface must 
supply a user name and password configured in one of the local user accounts on the device. The user 
cannot access the device by entering "set" or "get" and the corresponding SNMP community string. 

Examples of Authentication-Method Lists 

Example 1 : The following example shows how to configure authentication-method lists for the Web management 
interface and the Privileged EXEC and CONFIG levels of the CLI. In this example, the primary authentication 
method for each is "local". The device will authenticate access attempts using the locally configured user names 
and passwords first. 
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To configure an authentication-method list for the Web management interface, enter a command such as the 
following: 

HP9300 (conf ig) # aaa authentication web-server default local 

This command configures the device to use the local user accounts to authenticate access to the device through 
the Web management interface. If the device does not have a user account that matches the user name and 
password entered by the user, the user is not granted access. 

To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the 
following command: 

HP9300 (conf ig) # aaa authentication enable default local 

This command configures the device to use the local user accounts to authenticate attempts to access the 
Privileged EXEC and CONFIG levels of the CLI. 

Example 2: To configure the device to consult a RADIUS server first to authenticate attempts to access the 
Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is 
unavailable, enter the following command: 

HP9300 (conf ig) # aaa authentication enable default radius local 

Syntax: [no] aaa authentication snmp-server I web-server I enable I login default <method1> [<method2>] 
[<method3>] [<method4>] [<method5>] [<method6>] [<method7>] 

The snmp-server I web-server I enable I login parameter specifies the type of access this authentication- 
method list controls. You can configure one authentication-method list for each type of access. 



NOTE: TACACSATACACS+ and RADIUS are supported only with the enable and login parameters. 



The <method1> parameter specifies the primary authentication method. The remaining optional <method> 
parameters specify additional methods to try if an error occurs with the primary method. A method can be one of 
the values listed in the Method Parameter column in the following table. 



Table 3.7: Authentication Method Values 



Method Parameter 


Description 


line 


Authenticate using the password you configured for Telnet access. The 
Telnet password is configured using the enable telnet password... 
command. See "Setting a Telnet Password" on page 3-8. 


enable 


Authenticate using the password you configured for the Super User 
privilege level. This password is configured using the enable super- 
user-password... command. See "Setting Passwords for Management 
Privilege Levels" on page 3-9. 


local 


Authenticate using a local user name and password you configured on 
the device. Local user names and passwords are configured using the 
username... command. See "Configuring a Local User Account" on 
page 3-11. 


tacacs 


Authenticate using the database on a TACACS server. You also must 
identify the server to the device using the tacacs-server command. 


tacacs+ 


Authenticate using the database on a TACACS+ server. You also must 
identify the server to the device using the tacacs-server command. 


radius 


Authenticate using the database on a RADIUS server. You also must 
identify the server to the device using the radius-server command. 
See "Configuring RADIUS Security" on page 3-31. 
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Table 3.7: Authentication Method Values (Continued) 



Method Parameter 


Description 


none 


Do not use any authentication method. The device automatically 
permits access. 



USING THE WEB MANAGEMENT INTERFACE 

To configure an authentication-method list with the Web management interface, use the following procedure. This 
example to causes the device to use a RADIUS server to authenticate attempts to log in through the CLI: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Management link to display the Management panel. 

3. Select the Authentication Methods link to display the Login Authentication Sequence panel, as shown in the 
following example. 



Login 
Authentication 
Sequence 



S e quenc e | Metho dj 



Authentication Method 

Type: | Login ^] Show Sequence 



r 


Enable 


if 


Radius 


r 


Line 


r 


Local 


r 


TACACS+ 


r 


TACACS 


r 


None 



Add | Delete | 

[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET! 

4. Select the type of access for which you are defining the authentication method list from the Type field's 
pulldown menu. Each type of access must have a separate authentication-method list. For example, to 
define the authentication-method list for logging into the CLI, select Login. 

5. Select the primary authentication method by clicking the button next to the method. For example, to use a 
RADIUS server as the primary means of authentication for logging on to the CLI, select RADIUS. 

6. Click the Add button to save the change to the device's running-config file. The access type and 
authentication method you selected are displayed in the table at the top of the dialog. Each time you add an 
authentication method for a given access type, the software assigns a sequence number to the entry. When 
the user tries to log in using the access type you selected, the software tries the authentication sources in 
ascending sequence order until the access request is either approved or denied. Each time you add an entry 
for a given access type, the software increments the sequence number. Thus, if you want to use multiple 
authentication methods, make sure you enter the primary authentication method first, the secondary 
authentication method second, and so on. 

If you need to delete an entry, select the access type and authentication method for the entry, then click 
Delete. 
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7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 



3-48 



Chapter 4 
Configuring Secure Shell 



Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on an HP 
device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or 
commercially available SSH client program, just as they can with Telnet. However, unlike Telnet, which provides 
no security, SSH provides a secure, encrypted connection to the device. 

SSH supports Arcfour, IDEA, Blowfish, DES (56-bit) and Triple DES (168-bit) data encryption methods. Nine 
levels of data compression are available. You can configure your SSH client to use any one of these data 
compression levels when connecting to an HP device. 

HP devices also support Secure Copy (SCP) for securely transferring files between an HP device and SCP- 
enabled remote hosts. See "Using Secure Copy" on page 4-9 for more information. 



NOTE: SSH is supported only on HP 9304M and HP 9308M routing switches with redundant management. 
SSH is not supported on the HP 6308M-SX or HP 6208M-SX. 



NOTE: HP's implementation of SSH supports SSH version 1 only. All references to SSH in this document are to 
SSH version 1 . 



HP's implementation of SSH supports two kinds of user authentication: 

• RSA challenge-response authentication, where a collection of public keys are stored on the device. Only 
clients with a private key that corresponds to one of the stored public keys can gain access to the device using 
SSH. 

• Password authentication, where users attempting to gain access to the device using an SSH client are 
authenticated with passwords stored on the device or on a TACACS/TACACS+ or RADIUS server 

Both kinds of user authentication are enabled by default. You can configure the device to use one or both of them. 

Configuring Secure Shell on an HP device consists of the following steps: 

1 . Setting the HP device's host name and domain name 

2. Generating a host RSA public and private key pair for the device 

3. Configuring RSA challenge-response authentication 

4. Setting optional parameters 

You can also view information about active SSH connections on the device as well as terminate them. 
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Setting the Host Name and Domain Name 

If you have not already done so, establish a host name and domain name for the HP device. For example: 

HP9300 (conf ig) # hostname HP9300 

HP9300 (conf ig) # ip dns domain-name hpshopping.com 

Syntax: hostname <name> 

Syntax: ip dns domain-name <name> 

Generating a Host RSA Key Pair 

When SSH is configured, a public and private host RSA key pair is generated for the HP device. The SSH server 
on the HP device uses this host RSA key pair, along with a dynamically generated server RSA key pair, to 
negotiate a session key and encryption method with the client trying to connect to it. 

The host RSA key pair is stored in the HP device's system-config file. Only the public key is readable. The public 
key should be added to a "known hosts" file (for example, $HOME/.ssh/known_hosts on UNIX systems) on the 
clients who want to access the device. Some SSH client programs add the public key to the known hosts file 
automatically; in other cases, you must manually create a known hosts file and place the HP device's public key in 
it. See "Providing the Public Key to Clients" on page 4-2 for an example of what to place in the known hosts file. 

To generate a public and private RSA host key pair for the HP device: 

HP9300 (conf ig) # crypto key generate rsa 
HP9300 (conf ig) # write memory 

The crypto key generate rsa command places an RSA host key pair in the running-config file and enables SSH 
on the device. To disable SSH, you must delete the RSA host key pair. To do this, enter the following commands: 

HP9300 (conf ig) # crypto key zeroize rsa 
HP9300 (conf ig) # write memory 

The crypto key zeroize rsa command deletes the RSA host key pair in the running-config file and disables SSH 
on the device. 

Syntax: crypto key generate I zeroize rsa 

Providing the Public Key to Clients 

If you are using SSH to connect to an HP device from a UNIX system, you may need to add the HP device's public 
key to a "known hosts" file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a 
known hosts file: 

10.10.20.10 1024 37 118 7718818626770304648512887372580468560316406358876792301 
842470226361758 04 8966333 84 6205 74 93006839765023169898543185727 93 23 74 5963240790218 
032290 84 2214 5347251578243700770280662793478407994 96434 04159653290224014 833380339 
0954214 73679 74 638560060162 94 532 93 075635028042310396 5438822 043283266280424256 93 61 
58342816331 

In this example, 10.10.20.10 is the IP address of an SSH-enabled HP switch or routing switch. The second 
number, 1 024, is the size of the host key, and the third number, 37, is the encoded public exponent. The remaining 
text is the encoded modulus. 

Configuring RSA Challenge-Response Authentication 

With RSA challenge-response authentication, a collection of clients' public keys are stored on the HP device. 
Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to 
one of the stored public keys can gain access to the device using SSH. 

When RSA challenge-response authentication is enabled, the following events occur when a client attempts to 
gain access to the device using SSH: 
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1 . The client sends its public key to the HP device. 

2. The HP device compares the client's public key to those stored in memory. 

3. If there is a match, the HP device uses the public key to encrypt a random sequence of bytes. 

4. The HP device sends these encrypted bytes to the client. 

5. The client uses its private key to decrypt the bytes. 

6. The client sends the decrypted bytes back to the HP device. 

7. The HP device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes 
match, it means that the client's private key corresponds to an authorized public key, and the client is 
authenticated. 

Setting up RSA challenge-response authentication consists of the following steps: 

1 . Importing authorized public keys into the HP device. 

2. Enabling RSA challenge response authentication 

Importing Authorized Public Keys into the HP Device 

SSH clients that support RSA authentication normally provide a utility to generate an RSA key pair. The private 
key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not 
protected. You should collect one public key from each client to be granted access to the HP device and place all 
of these keys into one file. This public key file is imported into the HP device. 

The following is an example of a public key file containing two public keys: 

1024 65537 16256605067838000614 94 60550286514 0612 3030679778206516611068664 85485 74 
94 95 73 39232259963157379681924847634614532 74217865276 7231995 74 6 941441604714 682680 
00 6445367903333 0420291249056907718288654183965655676902 54328814 77252978135 92 7821 
6754 062 94 783 92 66227512 8774 861815448523997023618173 3123284766607218888 73 94 6758201 
user@csp_client 

1024 35 1526761998898567696 93 55615561458 72 9155382631232809530042 84214 94164360924 
762 074 75545234679268443233 762295312 979418833525975695775705101805212541008074877 
2658611985 74 2270289700411216885214 50 74 087969840 642408451742714 5585923616 93 705908 
74 83787559 94 05503479603024287131312 793895007 92 74 380 74 97278 742369597763 52 5194 3 ro 
ot@unix_machine 

You can import the authorized public keys into the active configuration by loading them from a file on a TFTP 
server. Once the authorized public keys are loaded, you can optionally save them to the startup-config file. If you 
import a public key file from a TFTP server, the file is automatically loaded into the active configuration the next 
time the device is booted. 

HP devices support Secure Copy (SCP) for securely transferring files between hosts on a network. Note that 
when you copy files using SCP, you enter the commands on the SCP-enabled client, rather than the console on 
the HP device. 

If password authentication is enabled for SSH, the user will be prompted for a password in order to copy the file. 
See "Using Secure Copy" on page 4-9 for more information on SCP. 

After the file is loaded onto the TFTP server, it can be imported into the active configuration each time the device 
is booted. 

To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the HP device is booted, 
enter a command such as the following: 

HP9300 (conf ig) # ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt 

Syntax: ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename> 

To display the currently loaded public keys, enter the following command: 

HP9300# show ip client-public-key 
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1024 65537 16256605067838000614 94 6055 02 86514 0612 3030679778206516611068664 854 8574 
94 95 73 39232259963157379681924847634614532 74217865276 7231995 74 6 941441604714 682680 
00 6445367903333 0420291249056907718288654183965655676902 54328814 77252978135 92 7821 
6754 062 94 783 92 66227512 8774 861815448523997023618173 3123284766607218888 73 94 6758201 
user@csp_client 

1024 35 1526761998898567696 93 55615561458 72 9155382631232809530 04 2 84214 94164360924 
762 074 75545234679268443233 762295312 979418833525975695775705101805212541008074877 
2658611985 74 2270289700411216885214 50 74 087969840 642408451742714 5585923616 93 705908 
74 83787559 94 05503479603024287131312 793895007 92 74 380 74 97278 742369597763 52 5194 3 ro 
ot@unix_machine 

There are 2 authorized client public keys configured 
Syntax: show ip client-public-key 

To clear the public keys from the active configuration, enter the following command: 
HP9300# clear public-key 
Syntax: clear public-key 

To reload the public keys from the file on the TFTP server, enter the following command: 

HP9300 (conf ig) # ip ssh pub-key-file reload 
Syntax: ip ssh pub-key-file reload 

Once the public keys are part of the active configuration, you can make them part of the startup-config file. The 
startup-config file can contain a maximum of 10 public keys. If you want to store more than 10 public keys, keep 
them in a file on a TFTP server, where they will be loaded into the active configuration when the device is booted. 

To make the public keys in the active configuration part of the startup-config file, enter the following commands: 

HP9300 (conf ig) # ip ssh pub-key-file flash-memory 
HP9300 (conf ig) # write memory 

Syntax: ip ssh pub-key-file flash-memory 

To clear the public keys from the startup-config file (if they are located there), enter the following commands: 

HP9300# clear public-key 
HP9300# write memory 

Enabling RSA Challenge-Response Authentication 

RSA challenge-response authentication is enabled by default. You can disable or re-enable it manually. 
To enable RSA challenge-response authentication: 

HP9300 (conf ig) # ip ssh rsa-authentication yes 
To disable RSA challenge-response authentication: 
HP9300 (conf ig) # ip ssh rsa-authentication no 
Syntax: ip ssh rsa-authentication yes I no 

Setting Optional Parameters 

You can adjust the following SSH settings on the HP device: 

• The number of SSH authentication retries 

• The server RSA key size 

• The user authentication method the HP device uses for SSH connections 
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• Whether the HP device allows users to log in without supplying a password 

• The port number for SSH connections 

• The SSH login timeout value 

• A specific interface to be used as the source for all SSH traffic from the device 

Setting the Number of SSH Authentication Retries 

By default, the HP device attempts to negotiate a connection with the connecting host three times. The number of 
authentication retries can be changed to between 1 - 5. 

For example, the following command changes the number of authentication retries to 5: 

HP9300 (conf ig) # ip ssh authentication-retries 5 
Syntax: ip ssh authentication-retries <number> 

Setting the Server RSA Key Size 

The default size of the dynamically generated server RSA key is 768 bits. The size of the server RSA key can be 
between 512-896 bits. 

For example, the following command changes the server RSA key size to 896 bits: 

HP9300 (conf ig) # ip ssh key-size 896 
Syntax: ip ssh key-size <number> 

NOTE: The size of the host RSA key that resides in the system-config file is always 1 024 bits and cannot be 
changed. 



Deactivating User Authentication 

After the SSH server on the HP device negotiates a session key and encryption method with the connecting client, 
user authentication takes place. HP's implementation of SSH supports RSA challenge-response authentication 
and password authentication. 

With RSA challenge-response authentication, a collection of clients' public keys are stored on the HP device. 
Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to 
one of the stored public keys can gain access to the device using SSH. 

With password authentication, users are prompted for a password when they attempt to log into the device 
(provided empty password logins are not allowed; see "Enabling Empty Password Logins" on page 4-5). If there 
is no user account that matches the user name and password supplied by the user, the user is not granted 
access. 

You can deactivate one or both user authentication methods for SSH. Note that deactivating both authentication 
methods essentially disables the SSH server entirely. 

To disable RSA challenge-response authentication: 

HP9300 (conf ig) # ip ssh rsa-authentication no 

Syntax: ip ssh rsa-authentication no I yes 

To deactivate password authentication: 

HP9300 (conf ig) # ip ssh password-authentication no 
Syntax: ip ssh password-authentication no I yes 

Enabling Empty Password Logins 

By default, empty password logins are not allowed. This means that users with an SSH client are always 
prompted for a password when they log into the device. To gain access to the device, each user must have a user 
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name and password. Without a user name and password, a user is not granted access. See "Setting Up Local 
User Accounts" on page 3-11 for information on setting up user names and passwords on HP devices. 

If you enable empty password logins, users are not prompted for a password when they log in. Any user with an 
SSH client can log in without being prompted for a password. 

To enable empty password logins: 

HP9300 (conf ig) # ip ssh permit-empty-passwd yes 
Syntax: ip ssh permit-empty-passwd no I yes 

Setting the SSH Port Number 

By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following 
command changes the SSH port number to 2200: 

HP9300 (conf ig) # ip ssh port 2200 

Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. 
Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH 
port number, HP recommends that you change it to a port number greater than 1024. 

Syntax: ip ssh port <number> 

Setting the SSH Login Timeout Value 

When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits 
a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 
seconds, the SSH server disconnects. You can change this timeout value to between 1-120 seconds. For 
example, to change the timeout value to 60 seconds: 

HP9300 (conf ig) # ip ssh timeout 60 

Syntax: ip ssh timeout <seconds> 

Designating an Interface as the Source for All SSH Packets 

You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH packets from 
the device. The software uses the IP address with the numerically lowest value configured on the port or interface 
as the source IP address for SSH packets originated by the device. 



NOTE: When you specify a single SSH source, you can use only that source address to establish SSH 
management sessions with the HP device. 



To specify the numerically lowest IP address configured on a loopback interface as the device's source for all SSH 
packets, enter commands such as a the following: 

HP9300 (conf ig) # int loopback 2 

HP9300 (conf ig-lbif -2) # ip address 10.0.0.2/24 

HP9300 (conf ig-lbif -2) # exit 

HP9300 (conf ig) # ip ssh source-interface loopback 2 

The commands in this example configure loopback interface 2, assign IP address 10.0.0.2/24 to the interface, then 
designate the interface as the source for all SSH packets from the routing switch. 

Syntax: ip ssh source-interface ethernet <portnum> I loopback <num> I ve <num> 

The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the 
<portnum> is the port's number (including the slot number, if you are configuring an HP 9304M or HP 9308M). For 
example: 

HP9300 (conf ig) # interface ethernet 1/4 

HP9300 (conf ig-if -1/4) # ip address 209.157.22.110/24 

HP9300 (conf ig-if -1/4) # exit 

HP9300 (conf ig) # ip ssh source-interface ethernet 1/4 
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Viewing SSH Connection Information 

Up to five SSH connections can be active on the HP device. To display information about SSH connections, enter 
the following command: 

HP9300#show ip ssh 



Connection Version Encryption State Username 

1 1.5 ARCFOUR 0x82 neville 

2 1.5 IDEA 0x82 lynval 

3 1.5 3DES 0x82 terry 

4 1.5 none 0x0 0 

5 1.5 none 0x0 0 



Syntax: show ip ssh 

This display shows the following information about the active SSH connections:. 



Table 4.1 : SSH Connection Information 



This Field- 


Displays... 


Connection 


The SSH connection ID. This can be from 1 - 5. 


Version 


The SSH version number. This should always be 1 .5. 


Encryption 


The encryption method used for the connection. This can be IDEA, 
ARCFOUR, DES, 3DES, or BLOWFISH. 


State 


Thp mnnpftinn ^tatp Thic; pan hp nnp of thp fnllnwinn - 

1 1 IC i II ICVjUUI 1 OlQ.lv- 1 1 IIO V>Cll 1 ksvs w 1 1 C; Ul 11 1 C; IWIIWVvll ly. 

0x00 Server started to send version number to client. 

0x01 Server sent version number to client. 

0x02 Server received version number from client. 

0x20 Server sent public key to client. 

0x21 Server is waiting for client's session key. 

0x22 Server received session key from client. 

0x23 Server is verifying client's session key. 

0x24 Client's session key is verified. 

0x25 Server received client's name. 

0x40 Server is authenticating client. 

0x41 Server is continuing to authenticate client after one or more 
failed attempts. 

0x80 Server main loop started after successful authentication. 
0x81 Server main loop sent a message to client. 
0x82 Server main loop received a message from client. 


Username 


The user name for the connection. 



The show who command also displays information about SSH connections. For example: 

HP9300#show who 
Console connections: 
established, active 
Telnet connections: 
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1 closed 

2 closed 

3 closed 

4 closed 

5 closed 

SSH connections: 

1 established, client ip address 209.157.22.8 
16 seconds in idle 

2 established, client ip address 209.157.22.21 
42 seconds in idle 

3 established, client ip address 209.157.22.68 
49 seconds in idle 

4 closed 

5 closed 

Syntax: show who 

To terminate one of the active SSH connections, enter the following command: 
HP9300# kill ssh 1 
Syntax: kill ssh <connection-id> 

Sample SSH Configuration 

The following is a sample SSH configuration for an HP device. 

hostname HP9300 

ip dns domain-name hpshopping.com 
! 

aaa authentication login default local 

username neville password 

username lynval password 

username terry password 

! 

ip ssh permit -empty-passwd no 
! 

ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt 
i 

crypto key generate rsa public_key "1024 35 144460146631716543532035011163035196 
4119319512 52058 9445263 74 62409522275505020 84 508 73 0298520996034623917299567632 93 57 
247775301886662678981956482531815516246813 94 520681672610 82 81883104139622423012 96 
26883937176769776184984093100984 01707536 93 8707100663796665087 72 246779794 86802651 
458324218055083313 313 94 8534902409 HP93 0 0@hpshopping.com" 
i 

crypto key generate rsa private_key "*************************" 
i 

ip ssh authentication-retries 5 

This aaa authentication login default local command configures the device to use the local user accounts to 
authenticate users attempting to log in. 

Three user accounts are configured on the device. The ip ssh permit-empty-passwd no command causes 
users always to be prompted for a password when they attempt to establish an SSH connection. Since the device 
uses local user accounts for authentication, only these three users are allowed to connect to the device using 
SSH. 

The ip ssh pub-key-file tftp command causes a public key file called pkeys.txt to be loaded from a TFTP server 
at 192.168.1.234. To gain access to the HP device using SSH, a user must have a private key that corresponds to 
one of the public keys in this file. 
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The crypto key generate rsa public key and crypto key generate rsa private_key statements are both 
generated by the crypto key generate rsa command. The public key is visible; the private key is not. You may 
need to copy the public key to a "known hosts" file (for example, $HOME/.ssh/known_hosts on UNIX systems) on 
the clients who want to access the device. See "Providing the Public Key to Clients" on page 4-2 for an example 
of what to place in the known hosts file. 

The ip ssh authentication-retries 5 command sets the number of times the HP device attempts to negotiate a 
connection with the connecting host to 5. 

Using Secure Copy 

Secure Copy (SCP) uses security built into SSH to transfer files between hosts on a network, providing a more 
secure file transfer method than Remote Copy (RCP) or FTP. SCP automatically uses the authentication 
methods, encryption algorithm, and data compression level configured for SSH. For example, if password 
authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to 
be transferred. No additional configuration is required for SCP on top of SSH. 

You can use SCP to copy files on the HP device, including the startup-config and running-config files, to or from an 
SCP-enabled remote host. 

SCP is enabled by default and can be disabled. To disable SCP, enter the following command: 

HP9300 (conf ig) # ip ssh scp disable 
Syntax: ip ssh scp disable I enable 



NOTE: If you disable SSH, SCP is also disabled. 



The following are examples of using SCP to transfer files from and to an HP device 



NOTE: When using SCP, you enter the scp commands on the SCP-enabled client, rather than the console on 
the HP device. 



NOTE: Certain SCP client options, including -p and -r, are ignored by the SCP server on the HP device. If an 
option is ignored, the client is notified. 



To copy a configuration file (c:\cfg\hp.cfg) to the running-config file on an HP device at 192.168.1 .50 and log in as 
user terry, enter the following command on the SCP-enabled client: 

C:\> scp c:\cfg\hp.cfg terry@192 . 168 . 1 . 50 : runConf ig 

If password authentication is enabled for SSH, the user is prompted for user terry's password before the file 
transfer takes place. 

To copy the configuration file to the startup-config file: 

C:\> scp c:\cfg\hp.cfg terry@192 . 168 . 1 . 50 : startConf ig 

To copy the running-config file on an HP device to a file called c:\cfg\hpconfig.cfg on the SCP-enabled client: 

C:\> scp terry@192 . 168 . 1 . 50 : runConf ig c:\cfg\hpconfig.cfg 

To copy the startup-config file on an HP device to a file called c:\cfg\hpstart.cfg on the SCP-enabled client: 

C:\> scp terry@192 . 168 . 1 . 50 : startConf ig c:\cfg\hpstart.cfg 
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Chapter 5 

Using Redundant Management Modules 



This chapter describes the redundant management modules and how to configure and manage them. Redundant 
management modules provide increased routing capacity and failover for HP 9304M or HP 9308M Chassis 
devices. 

See the following sections for information: 

• "Configuring the Redundant Management Parameters" on page 5-3 

• "File Synchronization Between the Active and Standby Redundant Management Modules" on page 5-10 

• "Switching Over to the Standby Redundant Management Module" on page 5-15 

• "Temperature Sensor" on page 5-16 

The redundant management modules are fully-functional CPU management modules for the HP 9304M or HP 
9308M Chassis devices. You can use one or two redundant management modules in a these devices. 

The redundant management modules provide increased route capacity for routing switches running Border 
Gateway Protocol Version 4 (BGP4). In addition, the redundant management modules contain a configurable 
temperature sensor that sends a Syslog message and SNMP trap if the temperature on the module exceeds a 
specified warning level. The temperature sensor also can shut the module down automatically to prevent 
damage. 

You can use one or two redundant management modules in an HP 9304M or HP 9308M chassis. Using two 
redundant management modules adds fault protection against system outage. The two modules work together as 
active and standby management modules. If the active module becomes unavailable, the standby module 
automatically takes over system operation. 

You do not need to sacrifice port density when using redundant management modules. The redundant 
management modules are available in the following configurations: 

8-port 1000BaseSX module 

8-port 1000BaseLX module 

• 0-port module 



5-1 



Installation and Getting Started Guide 



Configuration Considerations 

You can use one or two redundant management modules in a Chassis device. 

• You cannot use older management modules in the same Chassis device with redundant management 
modules. 

• The flash code (system software) image file for a device running the redundant management modules is 
different from the flash code for systems running older management modules. The flash code for redundant 
management modules begins with "H2R". If your flash code does not start with "H2R" then you cannot use 
the module as a redundant management module. 

Temperature Sensor 

The redundant management modules contain a temperature sensor. You can use the CLI or Web management 
interface to display the active redundant management module's temperature and to change the warning and 
shutdown temperature levels. See "Temperature Sensor" on page 5-16. 

Switchover 

When you power on or reload an HP 9304M or HP 9308M Chassis device that contains two redundant 
management modules, the active redundant management module is selected based on the chassis slot 
previously specified by you or according to the lower slot number. 

After the active module is selected, the active module loads its boot and flash code (boot and system software) 
and its system-config file and manages the system. The standby module also boots, using its own boot code but 
using the active module's flash code and system-config file. The standby module monitors the heartbeat of the 
active module. If the active module becomes unavailable, the standby module notices the absence of the 
heartbeat and assumes management control of the system. 



NOTE: By default, the system does not use the boot code on the active module to boot the standby module. If 
you upgrade the boot code on the active module and the code contains a problem, you can still use the system by 
running the older boot code that is on the standby module. You can configure the standby to synchronize with the 
active module's boot code. See "File Synchronization Between the Active and Standby Redundant Management 
Modules" on page 5-10. 



The standby module's system-config file is updated whenever the system-config file on the active module is 
updated. In addition, the running-config file on the standby module is updated at regular intervals to match the 
active module's running-config data. Thus, when a switchover occurs, the standby module also can reinstate the 
configuration data in the active module's running-config. 

Following this switchover to the standby module, the standby module becomes the active module and continues 
to manage the system. When the other redundant management module (the one that used to be the active 
module) becomes available again or is replaced, that module becomes the standby module. 

The active module also monitors the standby module. If the standby module becomes unavailable, the active 
module tries to reboot the standby module. You can display the status of each module using the CLI or the Web 
management interface, as described in "Determining Redundant Management Module Status" on page 5-7. 

Management Sessions 

You can establish management sessions only with the active redundant management module, not with the 
standby redundant management module. During switchover, all the CLI and Web management interface sessions 
open on the system are closed. To manage the system following a switchover, you must open a new 
management session. Although the system's MAC addresses change following switchover, the IP addresses do 
not. You can open new management sessions on the same IP addresses you were using before the switchover if 
desired. 

To establish a serial connection to the CLI, you must move the serial cable to the serial port on the active 
redundant management module. 
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Syslog and SNMP Traps 

When a switchover occurs, the software sends a Syslog message to the local Syslog buffer and also to the 
SyslogD server, if you have configured the HP device to use one. In addition, if you have configured an SNMP 
trap receiver, the software sends an SNMP trap to the receiver. 

When the system is powered on or otherwise reset normally, the software sends a cold start message and trap. 
However, if the system is reset as the result of switchover to the standby redundant management module, the 
software instead sends a switchover message and trap. 

MAC Address Changes 

The MAC addresses in the system are based on the MAC address of the active management module. During 
switchover, the system's MAC addresses change and the system sends out gratuitous ARP requests to flush the 
old MAC addresses from the ARP caches on attached IP devices, and update the caches with the HP device's 
new MAC addresses. 

Configuring the Redundant Management Parameters 

You can configure the following redundant management module parameters: 
• Installation parameters: 

• Slot configuration. As with other module types, you must configure a chassis slot for the type of module 
you are installing in the slot. 

Active redundant management module slot. By default, the redundant management module with the 
lower slot number is the active module. 

Operational parameters: 

• Boot code synchronization. By default, the standby redundant management module does not 
automatically synchronize to the boot code version installed on the active module. The standby module 
does automatically synchronize to the flash code (system software) on the active module. 

• Synchronization interval for running-config file 
Warning and shutdown temperatures 

Installing Redundant Management Modules 

To install a redundant management module, perform the following tasks: 
Configure the chassis slot to receive the module. 



NOTE: The system must be running a version of software that supports the module you want to install. 



• Insert the module. 

Specify the default active module (if you do not want to use the system default, which is the redundant 
management module with the lower slot number). 

In addition, if you use a TFTP or BootP server to boot the active module, you need to copy the flash code (system 
software) into the primary or secondary flash on the active redundant management module, then direct the active 
redundant management module to use the code to boot the standby module. 

A standby redundant management module does not boot from a TFTP or BootP server. 



5-3 



Installation and Getting Started Guide 



Configuring the Chassis to Receive the Module 

When you plan to insert a module into a chassis slot, you first must configure the slot to receive the module unless 
the slot already contains the same type of module. 

USING THE CLI 

To prepare slot 1 to receive an 8-port Gigabit redundant management module, enter the following commands at 
the global CONFIG level: 

HP9300 (conf ig) # module 1 8-port-gig-management-module 
HP9300 (conf ig) # write memory 
Syntax: module <slot-num> <module-type> 

In the current software release, the <module-type> for a Redundant Management module can be one of the 
following: 

• O-port-management-module - J4847A 

• 8-port-gig-management-module - J4845A or J4846A 

See the "Swapping Modules (Chassis Devices only)" on page 2-25 for a list of other module types. 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the Module link to display the Module panel, as shown in the following example. 



Module 





Module 






Starting MAC 




1 


8 Port Gig Management Module 


OK 


8 


00e0.52f0.4f00 


Delete | 






2 


None 








Delete | 










3 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f40 


Delete | 




4 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f50 


Delete 




5 


None 








Delete | 










6" 


None 








Delete | 










7 


None 








Delete | 










8 


None 








Delete | 












Slot 


Module 




Starting MAC 





[Add Modulel 

[Home 11 Site Map HLogoutirSavel [Frame Enable | Dis able 1 [TELNETl 
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3. Click the Add Module link to display the following panel. 



Module 



Slot: 




Module Type: 


|0-port-manaqement-module 



Add | Delete | Reset | 
fShowl 

[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



4. Select slot number from the Slot pulldown menu. 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 
Slots on the HP 9308M are numbered 1 - 8, from left to right. 

5. Select the module type from the Module Type pulldown menu. 

6. Click the Add button to save the change to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

The configuration change is saved to the active redundant management module's startup-config file. (The 
change is automatically sent to the standby module when the active module's system-config file is copied to 
the standby module.) 

NOTE: You also can access the dialog for saving configuration changes by clicking on Command in the tree 
view, then clicking on Save to Flash . 

Specifying the Default Active Module 

By default, the redundant management module in the lower slot number becomes the active redundant 
management module when you start the system. For example, if you install redundant management modules in 
slots 1 and 8 in an HP 9308M chassis, the default active module is the module in slot 1. 

NOTE: 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 
Slots on the HP 9308M are numbered 1 - 8, from left to right. 

You can override the default and specify the active module. 

NOTE: The change does not take effect until you reload the system. If you save the change to the active 
module's system-config file before reloading, the change persists across system reloads. Otherwise, the change 
affects only the next system reload. 

USING THE CLI 

To override the default and specify the active redundant management module, enter the following commands: 

HP9300 (conf ig) # redundancy 

HP9300 (conf ig-redundancy) # active-management 5 
Syntax: active-management <slot-num> 
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The <slot-num> parameter specifies the chassis slot: 

• Slots on an HP 9304M chassis are numbered 1 - 4, from top to bottom. 

• Slots on an HP 9308M chassis are numbered 1 - 8, from left to right. 

This command overrides the default and makes the redundant management module in slot 5 the active module 
following the next reload. The change affects only the next reload and does not remain in effect for future reloads. 

To make the change permanent across future reloads, enter the write memory command to save the change to 
the startup-config file, as shown in the following example: 

HP9300 (conf ig) # redundancy 

HP9300 (conf ig- redundancy) # active-management 5 
HP9300 (conf ig- redundancy) # write memory 

NOTE: If you do not save the change to the startup-config file, the change affects only the next reload. 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Redundant link to display the following panel. 



Redundant Management Modules 



Active Management Slot: 


Auto Select j^J 


| Standby Management Module Synchronization j 


Running Configuration Interval (sec): 




Synchronize Configuration Now j 


Boot Hash: 


□ 


Synchronize Boot Flash Now | 



Apply | Reset | 



[Switch- over Active Modulel 
[Home IF Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 

3. Select slot number for the active redundant management module from the Active Management Slot pulldown 
menu. If you use the default value, Auto Select, the Chassis device uses the redundant management module 
in the lower slot number. 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 
Slots on the HP 9308M are numbered 1 - 8, from left to right. 

4. Click the Apply button to send the configuration change to the active module's running-config file. 

5. If you want the change to remain in effect following the next system reload, select the Save link to save the 
configuration change to the active redundant management module's startup-config file. (The change is 
automatically sent to the standby module when the active module's system-config file is copied to the standby 
module.) 

NOTE: If you do not save the change to the startup-config file, the change affects only the next reload. 
NOTE: The other options on this panel are described in later sections. 
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Inserting the Module 

You can remove and insert modules when the system is powered on. Make sure you adhere to the cautions noted 
in "Installation Precautions" on page 2-3. 

1 . Put on an ESD wrist strap and attach the clip end to a metal surface (such as an equipment rack) to act as 
ground. 

2. Remove the module or faceplate from the slot: 

3. If you are replacing another module, loosen the two screws on the module you are removing. 

• Pull the card ejectors towards you, away from the module front panel. The card will unseat from the 
backplane. 

Pull the module out of the chassis and place in an anti-static bag for storage. 

4. If you are installing a redundant management module in an unoccupied module slot, remove the blank 
faceplate from the slot in which the module is to be installed. Place the blank faceplate in a safe place for 
future use. 

5. Remove the redundant management module from its packaging. 

6. Insert the module into the chassis slot and glide the card along the card guide until the card ejectors on the 
front of the module touch the chassis. 

• Modules for the HP 9304M slide in horizontally with the module label on the left. 

• Modules for the HP 9308M slide in vertically with the module label at the top. 

7. Push the ejectors toward the center of the module until they are flush with the front panel of the module. The 
module will be fully seated in the backplane. 

8. Tighten the two screws at either end of the module. 

9. If you do not use one or more of the slots, make sure that a slot faceplate is still attached over each unused 
slot for safe operation and proper system cooling. 

Determining Redundant Management Module Status 

You can determine the status of a redundant management module in the following ways: 

• Status LED - The redundant management module has two green LEDs on the right side of the CLI serial port. 
The lower LED shows the management status. 

• Module information in software - The module information displayed by the software indicates whether the 
module is the active module, the standby module, or has another status. 

Status LED 

If you are located near the HP 9304M or HP 9308M chassis, you can determine which redundant management 
module is currently the active module and which one is the standby by observing the upper green LED to the right 
of the serial management port. If the upper green LED is lit, the module is currently the active redundant 
management module. If the LED is dark, the module is the standby. The lower green LED indicates the power 
status. If the lower LED is dark, the module is not receiving power. (A module without power will not function as 
the active or standby module.) 

Software 

You can display status information for the modules using either of the following methods. 



NOTE: 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 
Slots on the HP 9308M are numbered 1 - 8, from left to right. 
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USING THE CLI 

To display the status of a redundant management module using the CLI, enter the following command at any CLI 
level: 



HP9300> show module 



Module 




Status 


Ports 


Starting MAC 


SI 


8 Port Gig Management 


Module 


ACTIVE 


8 


OOeO 


5202 .a2d4 


S2 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 


S3 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 


S4 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 


S5 


8 Port Gig Management 


Module 


STANDBY 


8 


OOeO 


5202 .a334 


S6 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 


S7 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 


S8 


24 Port Copper Module 




OK 


24 


OOeO 


5202 .a2d4 



Syntax: show module 



NOTE: The module descriptions do not distinguish between SX and LX ports. 

The Status column shows the module status. The redundant management modules can have one of the following 
statuses: 

• ACTIVE - The module is currently the active management module. 

• STANDBY - The module is the standby management module. 

COMING UP - The module is coming up as the standby module. This status can be observed during 
switchover. 

The statuses above apply only to management modules. The following statuses apply only to host modules: 

FAILED - This status applies only to host modules, not to management modules. This status indicates that 
the host module failed to come up. 

OK - This status applies only to host modules, not to management modules. This status indicates that the 
module came up and is operating normally. 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the Module link to display the Module panel, as shown in the following example. 
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Module 



am 


Module 






Starting MAC 










1 


8 Port Gig Management Module 


OK 


8 


00e0.52f0.4f00 


i 

Delete | 


2 


None 






Delete 


3 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f40 


Delete | 


4 


24 Port Copper Module 


OK 


24 


00e0.52f0.4f60 


Delete | 


5 


None 






Delete | 


6 


None 




Delete | 


7 


None 


Delete | 


8 


None 


Delete | 




Module 




Starting MAC 





[Add Modulel 

[Home 11 Site Map HLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



The Status column shows the module status. The redundant management modules can have one of the following 
statuses: 

• ACTIVE - The module is currently the active management module. 

• STANDBY - The module is the standby management module. 

The statuses above apply only to management modules. The following statuses apply only to host modules: 

• FAILED - This status applies only to host modules, not to management modules. This status indicates that 
the host module failed to come up. 

• OK - This status applies only to host modules, not to management modules. This status indicates that the 
module came up and is operating normally. 

Displaying Switchover Messages 

You can determine whether a switchover has occurred by viewing the system log or the traps logged on an SNMP 
trap receiver. 

USING THE CLI 

To view the system log, enter the following command at any level of the CLI: 

HP9300> show log 

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) 
Buffer logging: level ACDMEINW, 8 messages logged 
level code: A=alert C=critical D=debugging M=emergency E=error 
I=inf ormational N=notif ication W=warning 

Static Log Buffer: 

Dynamic Log Buffer (50 entries) : 

at 0 days 0 hours 0 minutes 0 seconds, level alert 
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Management module at slot 1 state changed, 
changed state from standby to active 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the plus sign next to Monitor in the tree view to display the Monitor options. 

3. Select the System Log link to display the system log. 

File Synchronization Between the Active and Standby Redundant 
Management Modules 

Each redundant management module contains four files that can be synchronized between the two modules: 

Boot code - The code the module runs when it first starts up. By default, the boot code is not synchronized 
between redundant management modules. This ensures that the system can still operate if a new version of 
boot code contains a bug that prohibits normal operation. If the new code on the active module does not work 
properly, the system can still run using the older version of boot code on the standby module. 

You can configure the standby redundant management module to synchronize with the active redundant 
management module's boot code whenever the boot code on the active module is updated or the system 
starts up. 

• Flash code (system software) - The flash code is automatically synchronized between the redundant 
management modules. When the system starts up, the active redundant management module sends its flash 
code to the standby redundant management module to boot the module. 

• System-config file - The system-config file is automatically copied from the active redundant management 
module to the standby redundant management module when the system starts up. The file is also copied to 
the standby module whenever you save changes to the file. If switchover occurs, the standby redundant 
management module loads system parameters from the running-config data that was last received from the 
active redundant management module. If the standby module did not receive running-config data from the 
active module, the standby module uses configuration information in the system-config file copied from the 
active module. 

• Running-config - The running-config is automatically copied from the active redundant management module 
to the standby redundant management module at regular intervals. The default interval is 10 seconds. You 
can change the interval to 4 - 20 seconds. If you set the interval to 0, the configuration data is not copied to 
the standby redundant management module. As described above, if switchover occurs, the standby 
redundant management module loads system parameters from the running-config that was last received from 
the active redundant management module. 

Figure 5.1 shows how the files are synchronized between the active redundant management module and the 
standby redundant management module. 
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Automatically synchronized 
at startup or switchover 

Startup-config also 
automatically updated 
with write memory 
command 



Automatically synchronized 
at regular, user-configurable 
intervals 

Also can be immediately 

synchronized using the 

CLI or Web management interface 



Not automatically synchronized 

but can be configured to synchronize 

at startup or switchover 

Also can be immediately synchronized 
using the CLI or Web management interface 



Active Redundant Management Module 



System software 
(flash code) 



Startup-config file 



Running-config file 



Boot code 



i ▼ 

Standby Redundant Management Module 



System software 
(flash code) 



Startup-config file 



Running-config file 



Boot code 



Figure 5.1 Redundant management module file synchronization 

Displaying the Synchronization Settings 

You can independently synchronize the following types of software between the active and standby modules: 

• boot code 

• flash code (system software) 

• startup-config file 

• running-config 

When you synchronize software between the modules, the active module copies its software to the standby 
module. 

To display the current file synchronization settings, enter the following command: 

HP9300# sync-standby 



Sync code image : TRUE 
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Sync config data: TRUE 
Sync boot image : FALSE 

Running -config sync interval is 10 seconds 



NOTE: The values shown in this example are the default values. 
Syntax: sync-standby 



NOTE: The sync-standby command has optional parameters. If you enter one of the parameters, the CLI 
synchronizes software between the modules. To display the synchronization settings instead of synchronizing 
software, enter the command without parameters. 



This display shows the following information. 



Table 5.1 : CLI Display of Synchronization Settings 



This Field- 


Displays... 


Sync code image 


Indicates whether the active module is configured to automatically 
synchronize its flash code with the standby module. The value can be 
one of the following: 

• FALSE - The code is not automatically synchronized. 

• TRUE - The code is automatically synchronized. 


Sync config data 


Indicates whether the active module is configured to automatically 
synchronize its startup-config file with the standby module. The value 
can be one of the following: 

FALSE - The startup-config file is not automatically 
synchronized. 

• TRUE - The startup-config file is automatically synchronized. 


Sync boot image 


Indicates whether the active module is configured to automatically 
synchronize its boot code with the standby module. The value can be 
one of the following: 

FALSE - The boot code is not automatically synchronized. 

TRUE - The boot code is automatically synchronized. 


Running-config sync interval 


Indicates whether the active module is configured to automatically 
synchronize its running-config with the standby module. The value 
can be one of the following: 

• FALSE - The running-config is not automatically synchronized. 

• TRUE - The running-config is automatically synchronized. 



Immediately Synchronizing Software 

You can immediately synchronize software between the active and standby management modules. When you 
synchronize software, the active module copies the software you specify to the standby module, replacing the 
software on the standby module. 

To synchronize software, use either of the following methods. 
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USING THE CLI 

To immediately synchronize the boot code on the standby module with the boot code on the active module, enter 
the following command at the Privileged EXEC level of the CLI: 

HP9300# sync-standby boot 

Syntax: sync-standby boot 

To immediately synchronize the flash code (system software) on the standby module with the boot code on the 
active module, enter the following command at the Privileged EXEC level of the CLI: 

HP9300# sync-standby code 

Syntax: sync-standby code 

To immediately synchronize the running-config on the standby module with the running-config on the active 
module, enter the following command at the Privileged EXEC level of the CLI: 

HP9300# sync-standby running-config 

Syntax: sync-standby running-config 

To immediately synchronize the startup-config file on the standby module with the startup-config file on the active 
module, enter the following command at the Privileged EXEC level of the CLI: 

HP9300# sync-standby startup-config 

Syntax: sync-standby startup-config 

USING THE WEB MANAGEMENT INTERFACE 

NOTE: This procedure applies only to synchronizing the boot code and the running-config. To immediately 
synchronize the flash code or the startup-config file, use the CLI procedure above. 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Redundant link to display the following panel. 



Redundant Management Modules 



Active Management Slot: 


| Auto Select j^J 


' Standby Management Module Synchronization j 


Running Configuration Interval (sec): 


k ^^^^^^ 


Synchronize Configuration Now j 


Boot Mash: 


□ 


Synchronize Boot Flash Now I 



Apply | Reset | 
[Switch- over Active Modulel 
[Home IF Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 



3. Click the button for the code or file you want to immediately synchronize: 

• To synchronize the running-config, select the Synchronize Configuration Now button. 

• To synchronize the boot flash code, select the Synchronize Boot Flash Now button. 

As soon as you click the button, the Web management interface immediately performs the synchronization. 
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Automating Synchronization of Software 

Automatic synchronization of the flash code, running-config, and system-config file is enabled by default. 
Automatic synchronization of the boot code is disabled by default. 

To change the automatic synchronization setting, use one of the following methods. 

USING THE CLI 

The CLI commands for automating synchronization of software between the active and standby modules is the 
same as the syntax for immediately synchronizing the software. The only difference is the CLI level where you 
enter the commands. 

• To immediately synchronize software, enter the command at the Privileged EXEC level. 

• To automate synchronization starting with the next software reload or system reset and each reload or reset 
after that, enter the command at the Redundancy CONFIG level. 

Automatic synchronization of the flash code, running-config, and system-config file is enabled by default. 
Automatic synchronization of the boot code is disabled by default. To change the automatic synchronization 
setting, use one of the following commands: 

Syntax: [no] sync-standby boot 

Syntax: [no] sync-standby code 

Syntax: [no] sync-standby startup-config 

Syntax: [no] sync-standby running-config [<num>] 

To disable automatic synchronization of the boot code, flash code, or startup-config file, enter "no" in front of the 
command. 

The <num> parameter with the sync-standby running-config command specifies the synchronization interval. 
You can specify from 4-20 seconds. The default is 10 seconds. 

To disable automatic synchronization of the running-config, set the synchronization interval (the <num> 
parameter) to 0. 

USING THE WEB MANAGEMENT INTERFACE 

NOTE: This procedure applies only to synchronization of the boot code and running-config. To change 
automatic synchronization of other software, use the CLI procedure above. 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Redundant link to display the following panel. 



Redundant Management Modules 



Active Management Slot: 


| Auto Select j^J 


[ Standby Management Module Synchronization j 


Running Configuration Interval (sec): 


|l° II 


Synchronize Configuration Now j 


Boot Hash: 


□ 


Synchronize Boot Flash Now I 



Apply | Reset | 



[Switch- over Active Modulel 
[Home IF Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 
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3. To enable automatic synchronization of the boot code, select the checkbox next to Boot Flash. 

4. To change the synchronization interval for the running-config, enter the new value in the Running 
Configuration Interval field. To disable automatic synchronization of the running-config, enter 0 in the field. 

5. Select the checkbox next to Boot Flash. 



NOTE: Do not click the Synchronize Boot Flash Now button unless you want the active module to 
immediately copy its boot flash image to the standby module. 



6. Click the Apply button to send the configuration change to the active module's running-config file. 

7. If you want the change to remain in effect following the next system reload, select the Save link to save the 
configuration change to the active redundant management module's startup-config file. (The change is 
automatically sent to the standby module when the active module's system-config file is copied to the standby 
module.) 

Switching Over to the Standby Redundant Management Module 

If you reload the software using the reload command, the behavior of the management modules is the same as 
when you power the system on. The system selects the active module based on the slot you specified or based 
on the lower slot number if you did not specify a slot. Then both redundant management modules load their own 
boot code and load the active redundant management module's flash code (system software) and system-config 
file. 

If you do not want to reload the system but you instead want to force the system to switch over to the standby 
module (and thus make it the active redundant management module), use one of the following methods. 

USING THE CLI 

To switch over to the other redundant management module, enter a command such as the following: 
HP9300# reset 2 
Syntax: reset <slot-num> 

Specify the slot number containing the currently active management module. Do not specify the slot number 
containing the standby module to which you want to switch over. 

The <slot-num> parameter specifies the chassis slot: 

• Slots on an HP 9304M chassis are numbered 1 - 4, from top to bottom. 

• Slots on an HP 9308M chassis are numbered 1 - 8, from left to right. 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Redundant link to display the following panel. 
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Redundant Management Modules 



Active Management Slot: 


Auto Select j^J 


Standby Management Module Synchronization j 


Running Configuration Interval (sec): 


U° 1 


Synchronize Configuration Now j 


Boot Hash: 


□ 


Synchronize Boot Flash Now I 



Apply | Reset 



[Switch- over Active Modulel 
[Home IF Site Map l[Logoutl[Savel [Frame Enable | Dis able 1 [TELNET1 

3. Select the Switch-over Active Module link. A message appears asking you to verify that you want to switch 
over from the active module to the standby. 

4. Select Yes to switch over or No to cancel the switchover request. 

Temperature Sensor 

The redundant management module contains a temperature sensor. Depending on the temperature reported by 
the sensor, the software can send a warning if the temperature exceeds the normal threshold and can even shut 
the module down if the temperature exceeds the safe threshold. The software reads the temperature sensor 
according to the chassis poll time, which is 60 seconds by default. 

When the software reads the temperature sensor, if the temperature equals or exceeds the warning or shutdown 
temperature, the software does the following: 

• Warning message - If the temperature of the module reaches the warning value, the software sends a Syslog 
message to the Syslog buffer and also to the SyslogD server, if configured. In addition, the software sends an 
SNMP trap to the SNMP trap receiver, if you have configured the device to use one. 

• Shutdown - If the temperature matches or exceeds the shutdown temperature, the software sends a Syslog 
message to the Syslog buffer and also to the SyslogD server if configured. The software also sends an 
SNMP trap to the SNMP trap receiver, if you have configured the device to use one. 

If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by 
the software, the software shuts down the module to prevent damage. 

You can display the temperature of the module. You also can change the warning and shutdown temperatures 
and the chassis poll time. 

Displaying the Temperature 

By default, the software polls the temperature sensor on the active redundant management module every 60 
seconds to get the current temperature. This poll rate is controlled by the chassis poll time, which also controls 
how often the software polls other system components. You can display the temperature of the active redundant 
management module using either of the following methods. 

USING THE CLI 

To display the temperature of a redundant management module, enter the following command at any level of the 
CLI: 

HP9300> show chassis 

power supply 1 not present 
power supply 2 not present 
power supply 3 ok 
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power supply 4 not present 

power supply 1 to 4 from bottom to top 

fan 1 ok 

fan 2 bad 

fan 3 ok 

fan 4 ok 

Current temperature : 34.5 C degrees 

Warning level : 45 C degrees, shutdown level : 55 C degrees 
Syntax: show chassis 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the plus sign next to Monitor in the tree view to display the monitoring options. 

3. Select the Device link to display the following panel. 



Device Information 



System Up Time: |4 hours 27 minutes 44 seconds 


Running Image Version: 


SW: Version 06.1. 00T53 

Compiled on Oct 22 1999 at 16:41:10 labeled as 
H2R06100b 


Hash Primary Image Version: 


06.1.00T53, size=1866772 


Hash Secondary Image Version: 


06.1.00T51, size=855494 


Eoot Image Version: 


05.00.00, size=65536 


Temperature: 


31.0 C 


CPU Utilization: 


1 % 


Serial Number: 


S27a00 


Power Supply 1, bottom power supply: 


Absent 


Power Supply 2, middle bottom power 
supply: 


Absent 


Power Supply 3, middle top power supply: 


Good 


Power Supply 4, top power supply: 


Absent 


Fan 1, rear/back panel, top fan: 


Up 


Fan 2, rear/back panel, bottom fan: 


Up 


Fan 3, top panel, fan: 


Up 


Fan 4, top panel, fan: 


Up 



[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 fTELNETl 



The temperature is listed in the Temperature field. The temperature information is color coded to indicate the 
state. 

• Green indicates the temperature is within the normal operating range. 

• Orange indicates the temperature has reached the warning level. 

• Red indicates the temperature has reached the shutdown level. 

NOTE: You also can display the Device Information panel by clicking on the graphic of the chassis panel, in the 
upper right frame. The graphic is shown only if the Web management interface frames are enabled. 
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Displaying Temperature Messages 

The software sends a Syslog message and an SNMP trap if the temperature crosses the warning or shutdown 
thresholds. The following methods describe how to view the system log on the device. If you have configured the 
device to use a SyslogD server or SNMP trap receiver, see the documentation for the server or receiver. 

USING THE CLI 

To display the system log, enter the following command at any CLI level: 

HP9300# show log 

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) 
Buffer logging: level ACDMEINW, 8 messages logged 
level code: A=alert C=critical D=debugging M=emergency E=error 
I=inf ormational N=notif ication W=warning 

Static Log Buffer: 

Dynamic Log Buffer (50 entries) : 

at 0 days 0 hours 2 minutes 0 seconds, level alert 

Temperature 48.0 C degrees, warning level 45.0 C degrees, shutdown level 55.0 C 
degrees 

at 0 days 0 hours 1 minutes 0 seconds, level alert 

Temperature 50.0 C degrees, warning level 45.0 C degrees, shutdown level 55.0 C 
degrees 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the plus sign next to Monitor in the tree view to display the Monitor options. 

3. Select the System Log link to display the system log. 

Changing Temperature Warning and Shutdown Levels 

The default warning temperature is 45.0 C degrees. The default shutdown temperature is 55.0 C degrees. You 
can change the warning and shutdown temperatures using the following commands. The valid range for each 
value is 0 - 125 C degrees. 

NOTE: You cannot set the warning temperature to a value higher than the shutdown temperature. 
USING THE CLI 

To change the temperature at which the module sends a warning, enter a command such as the following at the 
Privileged EXEC level of the CLI: 

HP93 00# temperature warning 4 7 

Syntax: temperature warning <value> 

The <value> can be 0 - 125. 

To change the shutdown temperature, enter a command such as the following at Privileged EXEC level of the CLI: 
HP9300# temperature shutdown 57 
Syntax: temperature shutdown <value> 
The <value> can be 0 - 125. 
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USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Advance link to display the following panel. 



System 



Tag Type: 


|bioo 


Broadcast Limit: 




Switch Age Time: 


I 300 


Default VLAN ID: 




Chassis Poll Interval (sec): 




Temperature Warning Threshold(C): 


ED 


Temperature Shutdown Threshold(C): 


ED 


Gig Port Default: 


| Neg-Full-Auto _»] 


Mirror Slot: 


|None j^|Port:|None j^J 



Apply | Reset | 

[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



3. Edit the value in the Temperature Warning Threshold field to change the warning temperature. 

4. Edit the value in the Temperature Shutdown Threshold field to change the shutdown temperature. 

5. Click the Apply button to send the configuration change to the active module's running-config file. 

6. If you want the change to remain in effect following the next system reload, select the Save link to save the 
configuration change to the active redundant management module's startup-config file. (The change is 
automatically sent to the standby module when the active module's system-config file is copied to the standby 
module.) 

Changing the Chassis Polling Interval 

The software reads the temperature sensor and polls other hardware sensors according to the value set for the 
chassis poll time, which is 60 seconds by default. You can change chassis poll time using the CLI 

USING THE CLI 

To change the chassis poll time, enter a command such as the following at the global CONFIG level of the CLI: 

HP9300 (conf ig) # chassis poll-time 200 

Syntax: chassis poll-time <value> 

The <value> can be 0 - 65535. 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Select the Advance link to display the following panel 
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System 



Tag Type: 


8100 


Eroadcast Limit: 


r — I, 11 


Switch Age Time: 




Default VL AN ID: 




Chassis Poll Interval (sec): 




Temperature Warning Threshold(C): 


m 


Temperature Shutdown Threshold(C): 


ED 


Gig Port Default: 


| Neg-Full-Auto j^J 


Mirror Slot: 


|None j^|Port:|None _»] 



Apply | Reset | 

[Home IF Site Map lrLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



3. Edit the value in the Chassis Poll Interval field to change polling interval. You can enter a value from 
0 - 65535. The default is 60 seconds. 

4. Click the Apply button to send the configuration change to the active module's running-config file. 

5. If you want the change to remain in effect following the next system reload, select the Save link to save the 
configuration change to the active redundant management module's startup-config file. (The change is 
automatically sent to the standby module when the active module's system-config file is copied to the standby 
module.) 
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Chapter 6 

Updating Software Images and 
Configuration Files 



This chapter describes how to copy and save configuration files and software image files. 

Downloading and Uploading a Software Image on a TFTP Server 

For easy software image management, the HP 9308M, HP 9304M, and HP 6308M-SX routing switches and the 
HP 6208M-SX switch support the download and upload of software images between the flash modules on the 
devices and a Trivial File Transfer Protocol (TFTP) server on the network. 

The management module on each device contains two flash memory modules: 

• Primary flash - The default local storage device for system image files and configuration files. 

• Secondary flash - A second flash storage device. You can use the secondary flash to store redundant 
images for additional booting reliability or to preserve one software image while testing out another one. 

Only one flash device is active at a time. By default, the primary image will become active upon reload. 

You can update the software contained on a flash module using TFTP to copy the update image from a TFTP 
server onto the flash module. In addition, you can copy software images and configuration files from a flash 
module to a TFTP server. 



NOTE: The HP devices are TFTP clients but not TFTP servers. You must perform the TFTP transaction from the 
device. You cannot "put" a file onto the device using the interface of your TFTP server. 



NOTE: The TFTP client on the devices supports 8.3 file names. If you try to copy a file with more than eight 
characters and up to three characters in the extension, the interface reports that the file was not found on the 
TFTP server. 



USING THE CLI 

To initiate transfers of software images to and from a TFTP server from the CLI, enter one of the following 
commands from the User (Privileged) level: 

• copy flash tftp... - Use this command to upload a copy of the software image to a TFTP server. 

• copy tftp flash... - Use this command to download a copy of the software image from a TFTP server into the 
device's flash. 
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USING THE WEB MANAGEMENT INTERFACE 

To initiate transfers of software images to and from a TFTP server from the Web management interface: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the plus sign next to Command in the tree view to expand the list of command options. 

3. Click on the plus sign next to TFTP under Command in the tree view to expand the list of TFTP options. 

4. Select the Image link to display the following panel. 



TFTP Image 



TFTP Server TP: 


\209. 157.22 .26 




Image File Name: 


| new image) 




Flash: 


& Primary C Secondary 



Copy from Server 
Save to Server 



[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

5. Enter the address of the TFTP server in the TFTP Server IP field. 

6. Enter the image file name in the Image File Name field. 

NOTE: The TFTP client on the HP device supports only 8.3 format file names (up to eight characters in the 
name plus up to three characters in the extension. Make sure that if you rename the file on your TFTP server, 
you give the file a name that conforms to these rules. 



7. Specify the origin or destination of the image code you are transferring by selecting Primary or Secondary 
next to Flash. 

8. Click on one of the following buttons to start the file transfer: 

• Copy from Server - downloads the image file from the TFTP server into the flash area you specified. 

• Save to Server - uploads the image file from the flash area you specified onto the TFTP server. 

Changing the Block Size for TFTP File Transfers 

When you use TFTP to copy a file to or from a HP device, the device transfers the data in blocks of 81 92 bytes by 
default. You can change the block size to one of the following if needed: 

• 4096 

• 2048 
1024 

• 512 

• 256 
128 

• 64 

• 32 

• 16 

To change the block size for TFTP file transfers to and from the HP device, use the following CLI method. 
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USING THE CLI 

To change the block size for TFTP file transfers, enter a command such as the following at the global CONFIG 
level of the CLI: 

HP9300 (conf ig) # flash 2047 

set flash copy block size to 2048 

Syntax: [no] flash <num> 

The software rounds up the <num> value you enter to the next valid power of two, and displays the resulting 
value. In this example, the software rounds the value up to 2048. 



NOTE: If the value you enter is one of the valid powers of two for this parameter, the software still rounds the 
value up to the next valid power of two. Thus, if you enter 2048, the software rounds the value up to 4096. 



USING THE WEB MANAGEMENT INTERFACE 

You cannot configure this option using the Web management interface. 



Updating Boot Code 

Under certain conditions, HP support personnel may request you to update the boot code on a routing switch 
management module. Because the boot code is essential for the management module to operate, and because 
no backup copy is stored on the module, extreme caution is necessary when updating this code. Use the 
following steps to verify TFTP operation and to update the boot code. 

1 . Use the show flash command to verify the current boot code version. The last line in this example shows 
the verification output for boot code version 07.01 .01 : 

HP9308> enable 
HP9308# show flash 
Active management module: 

Code Flash Type: AMD 29F032B, Size: 64 * 65536 = 4194304, Unit: 2 
Boot Flash Type: AMD 29F040, Size: 8 * 65536 = 524288 
Compressed Primary Code size = 2579100, Version 07.1.10T53 
Compressed Secondary Code size = 2053824, Version 06.6.16T53 
Maximum Code Image Size Supported: 2817536 (0x002afe00) 
Boot Image Version 07.01.01 

2. Verify that your TFTP server interoperates properly with the routing switch. To do so, copy the software image 
stored in secondary flash to a TFTP server, delete the image from secondary flash, and then copy the image 
you saved onto the TFTP server back into secondary flash. For example, if the IP address of the TFTP server 
is 192.168.1.1 and the file name you will use to store the image is H2R06616.bin: 

a. Copy the software image stored in secondary flash to the TFTP server. 

HP9308# copy flash tftp 192.168.1.1 H2R06616.bin sec 
HP9308#Flash to TFTP Done. 

b. On the routing switch, delete the software image stored in secondary flash and verify that secondary 
flash is empty. (If secondary flash is empty, you will see "size = 0" in the "Compressed Secondary Code" 
line of the show flash command output.) For example: 

HP9308# erase flash secondary 

Flash Erase HP9308# Erase flash Done. 

HP9308# show flash 
Active management module: 

Code Flash Type: AMD 29F032B, Size: 64 * 65536 = 4194304, Unit: 2 
Boot Flash Type: AMD 29F040, Size: 8 * 65536 = 524288 
Compressed Primary Code size = 2579100, Version 07.1.10T53 
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Compressed Secondary Code size = 0, Version 

Maximum Code Image Size Supported: 2817536 (Ox002afeOO) 

Boot Image Version 07.01.01 

c. Copy the software image file you just saved (in step a) from the TFTP server back to secondary flash on 
the routing switch and verify that the code is stored in secondary flash. For example: 

HP9308# copy tftp flash 192.168.1.1 H2R06616.bin sec 

HP9308# Flash Erase 

Flash Memory Write (8192 bytes per dot) 



TFTP to Flash Done. 

HP9308# show flash 
Active management module: 

Code Flash Type: AMD 29F032B, Size: 64 * 65536 = 4194304, Unit: 2 
Boot Flash Type: AMD 29F040, Size: 8 * 65536 = 524288 
Compressed Primary Code size = 2579100, Version 07.1.10T53 
Compressed Secondary Code size = 2053824, Version 06.6.16T53 

Maximum Code Image Size Supported: 2817536 (Ox002afeOO) 
Boot Image Version 07.01.01 

The "size" and "Version" values in the "Compressed Secondary Code" line, above, indicate that the soft- 
ware image file has been successfully reloaded into secondary flash. You have now verified that your 
communication with the TFTP server is working properly. 

3. Download the appropriate boot code from the HP Procurve website to your TFTP server. (Go to http:// 
www.hp.com/go/hpprocurve and click on software.) 

4. Use the (undocumented) boot command shown below to initiate the TFTP download. For example, to 
download the M2B071 05.bin boot code from a TFTP server at 1 92. 1 68. 1 . 1 . 



CAUTION: It is extremely important that the TFTP download of the boot code is not interrupted. An 
interruption in this process can result in a non-bootable system. If for any reason the boot code download is 
not successful, please do not use the reload command in the next step. Instead, contact an HP Customer 
Care Center immediately. To find the HP Customer Care Center for your area, see the support and warranty 
booklet shipped with your routing switch product, or see the HP Procurve Networking Service and Support 
Guide available on HP's Procurve website at http://www.hp.com/go/hpprocurve. (Click on technical 
support and then support services.) 



HP9308# copy tftp flash 192.168.1.1 M2B07105.bin boot 
HP9308# Writing to flash, please wait . . . Done 

HP9308# show flash 
Active management module: 

Code Flash Type: AMD 29F032B, Size: 64 * 65536 = 4194304, Unit: 2 
Boot Flash Type: AMD 29F040, Size: 8 * 65536 = 524288 
Compressed Primary Code size = 2579100, Version 07.1.10T53 
Compressed Secondary Code size = 2053824, Version 06.6.16T53 
Maximum Code Image Size Supported: 2817536 (0x002afe00) 
Boot Image Version 07.01.05 

Note that in the preceding example, the Boot Image Version number (07.01 .05) at the end of step 4, above, 
is a later (higher) version than the Boot Image Version number (07.01 .01) at the end of step 1 . This 
indicates a successful download of a new boot image to the routing switch. 

5. Execute the reload command to ensure that the boot code operates properly: 

HP9308# reload 
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Loading and Saving Configuration Files 

For easy configuration management, the HP 9308M, HP 9304M, and HP 6308M-SX routing switches and the HP 
6208M-SX switch support both the download and upload of configuration files between the switch or routing 
switch and a TFTP server on the network. 



NOTE: The boot flash must have release 2.0 or later boot code installed for a TFTP download of the configuration 
file to the system flash to be active without a system reset. To determine the system's boot code versions, enter 
the show version or show flash command. 



You can upload either the startup configuration file or the running configuration file to the TFTP server for backup 
and use in booting the system. 

• Startup configuration file - This file contains the configuration information that is currently saved in flash. 
To display this file, enter the show configuration command at any CLI prompt. 

• Running configuration file- This file contains the configuration active in the system RAM but not yet saved 
to flash. These changes could represent a short-term requirement or general configuration change. To 
display this file, enter the show running-config or write terminal command at any CLI prompt. 

Each device can have one startup configuration file and one running configuration file. The startup configuration 
file is shared by both flash modules. The running configuration file resides in DRAM. 

Replacing the Startup Configuration with the Running Configuration 

After you make configuration changes to the active system, you can save those changes by writing them to flash 
memory. When you write configuration changes to flash memory, you replace the startup configuration with the 
running configuration. 

USING THE CLI 

To replace the startup configuration with the running configuration, enter the following command at any Enable or 
CONFIG command prompt: 

HP9300# write memory 

USING THE WEB MANAGEMENT INTERFACE 

1 . Click on the plus sign next to Command in the tree view to expand the list of command options. 

2. Select the Save to Flash option. 

3. Select Yes when the Web management interface asks you whether you really want to save the configuration 
changes to flash. 

Replacing the Running Configuration with the Startup Configuration 

If you want to back out of the changes you have made to the running configuration and return to the startup 
configuration, use one of the following methods. 

USING THE CLI 

To replace the startup configuration with the running configuration, enter the following command at the Privileged 
EXEC level of the CLI: 

HP9300# reload 

USING THE WEB MANAGEMENT INTERFACE 

1 . Click on the plus sign next to Command in the tree view to expand the list of command options. 

2. Select the Save to Flash option. 

3. Select Yes when the Web management interface asks you whether you really want to save the configuration 
changes to flash. 
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Logging Changes to the Startup-Config File 

You can configure an HP device to generate a Syslog message when the startup-config file is changed. The trap 
is enabled by default. 

The following Syslog message is generated when the startup-config file is changed: 

startup-config was changed 

If the startup-config file was modified by a valid user, the following Syslog message is generated: 
startup-config was changed by <username> 
USING THE CLI 

To disable or re-enable Syslog messages when the startup-config file is changed, use the following command: 
Syntax: [no] logging enable config-changed 
USING THE WEB MANAGEMENT INTERFACE 

You cannot disable logging of startup-config changes using the Web management interface. 

Copying a Configuration File to or from a TFTP Server 

To copy the startup-config or running-config file to or from a TFTP server, use one of the following methods. 

NOTE: You can name the configuration file when you copy it to a TFTP server. However, when you copy a 
configuration file from the server to a device, the file is always copied as "startup-config" or "running-config", 
depending on which type of file you saved to the server. 

USING THE CLI 

To initiate transfers of configuration files to or from a TFTP server using the CLI, enter one of the following 
commands: 

copy startup-config tftp - Use this command to upload a copy of the startup configuration file from the 
switch or routing switch to a TFTP server. 

• copy running-config tftp - Use this command to upload a copy of the running configuration file from the 
switch or routing switch to a TFTP server. 

copy tftp startup-config - Use this command to download a copy of the startup configuration file from a 
TFTP server to a switch or routing switch. 

USING THE WEB MANAGEMENT INTERFACE 

To initiate transfers of configuration files to and from a TFTP server using the Web management interface: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
dialog is displayed. 

2. Click on the plus sign next to Command in the tree view to expand the list of command options. 

3. Click on the plus sign next to TFTP under Command in the tree view to expand the list of TFTP options. 
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4. Select the Configuration link to display the following panel. 



HTTP Configuration 



TFTP Server IP: 


\209. 157.22 .26 


Configuration File Name: 


|ksniith. cf g 



Copy from Server to Flash 
Save from Flash to Server 
Save from RAM to Server 



[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

5. Enter the address of the TFTP server in the TFTP Server IP field. 

6. Enter the configuration file name in the Configuration File Name field. 



NOTE: The TFTP client on the HP device supports only 8.3 format file names (up to eight characters in the 
name plus up to three characters in the extension. Make sure that if you rename the file on your TFTP server, 
you give the file a name that conforms to these rules. 



7. Click on one of the following buttons to start the file transfer: 

• Copy from Server to Flash - downloads the configuration file from the TFTP server into the device's 
flash. (The flash area holds only one configuration file, so you cannot specify a primary or secondary 
save location for the file.) 

• Save from Flash to Server - uploads the startup-config file (the configuration file) to the TFTP server 
using the name you entered in the Configuration File Name field. 

• Save from RAM to Server - uploads the running-config file to the TFTP server using the name you 
entered in the Configuration File Name field. The running-config file contains the active system 
configuration, which may not match the contents of the startup-config file if you have made configuration 
changes but not saved them to flash. To synchronize the running-config and startup-config files, use the 
procedure in "Replacing the Startup Configuration with the Running Configuration" on page 6-5. 



NOTE: While TFTP transfers are in process, a red bar labeled 'processing' is displayed on the screen. When the 
TFTP transfer is actively transferring image or configuration data, a green bar labeled 'loading' is displayed. When 
a successful transfer is complete, the message "TFTP transfer complete" is displayed. 



If a problem with the transfer occurs, one of the error codes listed in the following section is displayed. 

Maximum File Sizes for Startup-Config File and Running-Config 

Each device has a maximum allowable size for the running-config and the startup-config file. If you use TFTP to 
load additional information into a device's running-config or startup-config file, it is possible to exceed the 
maximum allowable size. If this occurs, you will not be able to save the configuration changes. 

The following table lists the maximum size for the running-config and the startup-config file on the devices. 



Product 


Maximum running-config and 




startup-config file sizes 3 


HP 9304M or HP 9308M using 


256K 


redundant management module 




(Mil) 
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Product 


Maximum running-config and 




startup-config file sizes 3 


HP 9304M or HP 9308M using 


128K 


management module (Ml) 




HP 6308M-SX or HP 6208M-SX 


64K 



a. The running-config and startup-config file can each be the size listed. 
The maximum size is not the maximum combined size for the running- 
config and startup-config files. 



To determine the size of a device's running-config or startup-config file, copy it to a TFTP server, then use the 
directory services on the server to list the size of the copied file. To copy the running-config or startup-config file to 
a TFTP server, use one of the following commands. 

• Commands to copy the running-config to a TFTP server: 

copy running-config tftp <ip-addr> <filename> 
• ncopy running-config tftp <ip-addr> <from-name> 
Commands to copy the startup-config file to a TFTP server: 

copy startup-config tftp <ip-addr> <filename> 

ncopy startup-config tftp <ip-addr> <from-name> 

Diagnostic Error Codes and Remedies for TFTP Transfers 

If an error occurs with a TFTP transfer to or from an HP device, one of the following error codes is displayed. 



Error 
code 


Message 


Explanation and action 


1 


Flash read preparation failed. 


A flash error occurred during the 
download. 

Retry the download. If it fails again, 
contact customer support. 


2 


Flash read failed. 


3 


Flash write preparation failed. 


4 


Flash write failed. 




5 


TFTP session timeout. 


TFTP failed because of a time out. 

Check IP connectivity and make sure the 
TFTP server is running. 


6 


TFTP out of buffer space. 


The file is larger than the amount of room 
on the device or TFTP server. 

If you are copying an image file to flash, 
first copy the other image to your TFTP 
server, then delete it from flash. (Use the 
erase flash... CLI command at the 
Privileged EXEC level to erase the image 
in the flash.) 

If you are copying a configuration file to 
flash, edit the file to remove unneeded 
information, then try again. 
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Error 
code 


Message 


Explanation and action 


7 


TFTP busy, only one TFTP session can be 
active. 


Another TFTP transfer is active on another 
CLI session or Web management session. 

Wait, then retry the transfer. 


8 


File type check failed. 


You accidentally attempted to copy the 
incorrect image code into the system. For 
example, you might have tried to copy a 
chassis image into a fixed-port device. 

Retry the transfer using the correct image. 


16 


TFTP remote - general error. 


The TFTP configuration has an error. The 
specific error message describes the 
error. 

Correct the error, then retry the transfer. 


17 


TFTP remote - no such file. 


18 


TFTP remote - access violation. 


19 


TFTP remote - disk full. 


20 


TFTP remote - illegal operation. 


21 


TFTP remote - unknown transfer ID. 


22 


TFTP remote - file already exists. 


23 


TFTP remote - no such user. 



Saving or Erasing Image and Configuration Files 

You can save modified configuration files to the permanent startup configuration file or erase software images or 
configuration files. 

USING THE CLI 

• erase flash primary erases the image stored in primary flash of the system. 

• erase flash secondary erases the image stored in secondary flash of the system. 

• erase startup-config erases the configuration stored in the startup configuration file; however, the running 
configuration remains intact until system reboot. 

• write memory saves the running configuration file into the startup configuration file. 

NOTE: All of these commands are at the privileged level of the CLI. See the Command Line Interface Reference. 



USING THE WEB MANAGEMENT INTERFACE 

You cannot delete image or configuration files using the Web management interface. 

Scheduling a System Reload 

In addition to reloading the system manually, you can configure the HP device to reload itself at a specific time or 
after a specific amount of time has passed. 



NOTE: The scheduled reload feature requires the system clock. You can use a Simple Network Time Protocol 
(SNTP) server to set the clock or you can set the device clock manually. See "Specifying a Simple Network Time 
Protocol (SNTP) Server" on page 9-10 or "Setting the System Clock" on page 9-12. 
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Reloading at a Specific Time 

To schedule a system reload for a specific time, use one of the following methods. 
USING THE CLI 

To schedule a system reload from the primary flash module for 6:00:00 AM, January 19, 1999, enter the following 
command at the global CONFIG level of the CLI: 

HP9300# reload at 06:00:00 01-19-99 

Syntax: reload at <hh:mm:ss> <mm-dd-yy> [primary I secondary] 

<hh:mm:ss> is the hours, minutes, and seconds. 

<mm-dd-yy> is the month, day, and year. 

primary I secondary specifies whether the reload is to occur from the primary code flash module or the 
secondary code flash module. The default is primary. 

USING THE WEB MANAGEMENT INTERFACE 

You cannot schedule a system reload using the Web management interface. 

Reloading after a Specific Amount of Time 

To schedule a system reload to occur after a specific amount of time has passed on the system clock, use one of 
the following methods. 

USING THE CLI 

To schedule a system reload from the secondary flash one day and 1 2 hours later, enter the following command at 
the global CONFIG level of the CLI: 

HP9300# reload after 01:12:00 secondary 

Syntax: reload after <dd:hh:mm> [primary I secondary] 

<dd:hh:mm> is the number of days, hours, and minutes. 

primary I secondary specifies whether the reload is to occur from the primary code flash module or the 
secondary code flash module. 

USING THE WEB MANAGEMENT INTERFACE 

You cannot schedule a system reload using the Web management interface. 

Displaying the Amount of Time Remaining Before a Scheduled Reload 

To display how much time is remaining before a scheduled system reload takes place, use one of the following 
methods. 

USING THE CLI 

To display how much time is remaining before a scheduled system reload, enter the following command from any 
level of the CLI: 

HP9300# show reload 

USING THE WEB MANAGEMENT INTERFACE 

You cannot display information about a scheduled reload using the Web management interface. 

Canceling a Scheduled Reload 

To cancel a scheduled reload, use one of the following methods. 
USING THE CLI 

To cancel a scheduled system reload using the CLI, enter the following command at the global CONFIG level: 

HP9300# reload cancel 
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USING THE WEB MANAGEMENT INTERFACE 

You cannot cancel a scheduled reload using the Web management interface. 
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Chapter 7 
Software Overview 



This chapter provides an overview of the software features supported on HP ProCurve devices. 

• For configuration details for these features, see Chapter 9 of this guide and the Advanced Configuration and 
Management Guide, included in PDF format on the Product Documentation CD-ROM included with your 
switch or routing switch. 

• For detailed information about CLI commands shown in this chapter, see the Command Line Interface 
Reference. 

For information about the protocols, RFCs, and standards supported by the software, see the "Software 
Specifications" appendix. 

• For an overview of the hardware, see "Hardware Overview" on page 8-1 . 

Software Feature Summary 

This section lists the flash image files (system software) that HP ProCurve devices can run and the features that 
are supported in each type of flash image. HP products run either switch code or routing switch code flash 
images. 

This section describes the features provided in each type of software and how to determine the type of software 
an HP device is running. Where this guide refers to HP routing switches and switches, the flash code your device 
is running determines whether "routing switch" or "switch" is applicable to your device. 

Flash Images 

The flash image (system software) that is running on a device determines the software features that are supported 
by that device. Table 7.1 lists the flash images that can be used on each HP device. 



Table 7.1 : HP Flash Software Images 



Product 


Flash image 


Description 


HP 9308M 


HPRxxxxx.BIN 


routing switch code 


HP 9304M 


H2Rxxxxx.BIN (redundant 




HP 6308M-SX 


management module) 




HP6208M-SX 


HPSxxxxx.BIN 


switch code 
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NOTE: Some features are supported only on specific products or require specific hardware configurations. See 
the chapters describing those features or contact Hewlett-Packard or your reseller for information. 



Determining the Flash Version a Device Is Running 

To determine the flash image running on an HP device, do one of the following. 
USING THE CLI 

Enter the following command: show version 



NOTE: You can enter this command from any CLI access level. 



Here is an example of the information displayed by the command. 

HP9300> show version 

SW: Version 07.1.10T53 Hewlett-Packard Company 

Compiled on Nov 17 2000 at 13:46:21 labeled as H2R07110 

J4138A HP ProCurve Routing Switch 9308M 
HW: ProCurve HP9308 Routing Switch, SYSIF version 21 



SL 1: 8 Port Gig Management Redundant Module, M2 , ACTIVE 

2048 KB BRAM, SMC version 1, ICBM version 21 

512 KB PRAM (512K+0K) and 2048*8 CAM entries for DMA 0, version 0209 

512 KB PRAM (512K+0K) and shared CAM entries for DMA 1, version 0209 

512 KB PRAM (512K+0K) and 2048*8 CAM entries for DMA 2, version 0209 

512 KB PRAM (512K+0K) and shared CAM entries for DMA 3, version 0209 



SL 3 : 24 Port Copper Module 

2048 KB BRAM, SMC version 2, ICBM version 21 

256 KB PRAM (256K+0K) and 2048*8 CAM entries for DMA 8, version 0808 

256 KB PRAM (256K+0K) and shared CAM entries for DMA 9, version 0808 

256 KB PRAM (256K+0K) and shared CAM entries for DMA 10, version 0808 



SL 4 : 24 Port Copper Module 

2048 KB BRAM, SMC version 2, ICBM version 21 

256 KB PRAM(256K+0K) and 2048*8 CAM entries for DMA 12, version 0808 

256 KB PRAM (256K+0K) and shared CAM entries for DMA 13, version 0808 

256 KB PRAM (256K+0K) and shared CAM entries for DMA 14, version 0808 



Active management module: 

240 MHz Power PC processor 603 (version 7/1201) 63 MHz bus 

512 KB boot flash memory 
8192 KB code flash memory 

256 KB SRAM 

128 MB DRAM 
The system uptime is 3 seconds 

The system : started=warm start reloaded=by "reload" 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-only or read-write access. The System 
configuration dialog is displayed. 

2. Click on the plus sign next to Monitor in the tree view to expand the list of monitoring options. 

3. Click on the Device link to display the Device Information panel. 
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NOTE: You can access the version information whether you have read-write ("set") or read-only ("get") access. 



Feature List 

Table 7.2 on page 7-3 lists the major software features available in the types of flash software listed in Table 7.1 
on page 7-1 . Some features are supported only in certain flash software. For each feature, the table indicates the 
types of flash code in which the feature is supported. Table 7.2 on page 7-3 uses the following labels to indicate 
the flash code types: 

• routing switch - A device capable of performing Layer 2, Layer 3, and Layer 4 switching and Layer 3 
routing. The following HP devices are or can be configured as routing switches: 

• HP 9308M 

• HP 9304M 

• HP 6308M-SX 

• switch - A device capable of performing Layer 2 switching. The following HP device is configured as a 
switch: 

• HP 6308M-SX 

NOTE: Some features are supported only on specific products. Footnotes at the end of the table list any 
exceptions. 

Some features require specific hardware configurations. See the chapters describing those features or contact 
Hewlett-Packard or your reseller for information. 



Table 7.2: HP Software Features 



Feature 


Supported on- 


See page... 




Routing 
switch 


Switch 




Access and Management Features 


Secure Shell (SSH) 


X 


X 


7-6 


Command-line and web-based management interfaces 


X 


X 


7-7 


Simple Network Management Protocol (SNMP)-based management 
application 


X 


X 


7-7 


Multiple levels of access control 


X 


X 


7-9 


TACACS/TACACS+ authentication, authorization, and accounting 


X 


X 


7-9 


RADIUS authentication 


X 


X 


7-10 


Access Control Lists (ACLs) 


X 


X 


7-10 


Protection Against Denial of Service (DoS) Attacks 


X 


X 


7-10 


Dynamic configuration 


X 


X 


7-10 


Soft reboot (reboot flash image without resetting the system) 


X 


X 


7-10 


Scheduled system reload 


X 


X 


7-10 
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Table 7.2: HP Software Features (Continued) 



Feature 


Supported on- 


See page... 




Routing 
switch 


Switch 




Xsl not 


X 


X 


7-11 


Trivial Filp Trancifpr Protocol fTFTP^ 
iiivicii i 1 1 c i i cu io i ci nu iuuui ^ i i i i j 


X 


X 


7-11 


^imnlp Nptwork Timp Protocol /^KITP^ 

OllllkJIC 1 NClVVUI r\ 1 1 1 1 1 C r 1 U LU*_>U 1 1 Ol M 1 i 1 


X 


X 


7-11 


Domain Namp fiprvpr /HNS^ rpciol\/pr 

L/ul 1 ICll 1 1 1 M CX \ \ \ \D UC 1 VCI 1 1— ' 1 ^t\J 1 1 COUI V \H 1 


X 


X 


7-11 


SNMPv2r 

WlVlVII \J L—\J 


X 


X 


7-12 


Rpmotp Monitorino fRMONH 
nci i \ \j lc iviuimuiiiiy in i vi w i n / 


X 


X 


7-12 


SNMP alarms and trap log 


X 


X 


7-12 


SyslogD client 


X 


X 


7-12 


Ping and trace-route facilities 


X 


X 


7-13 


Port mirroring 


X 


X 


7-13 


Bandwidth Management Features 


Fixed Rate Limiting 


X 


X 


7-13 


Adaptive Rate Limiting 


X 


X 


7-13 


Quality of Service (QoS) Features 


IP Type of Service mapping 


X 


X 


7-14 


Selectable queuing method (strict or weighted) 


X 


X 


7-14 


Configurable bandwidth percentages 


X 


X 


7-14 


802.1 p priority mapping 


X 


X 


7-14 


Queue assignment by traffic type 


X 


X 


7-14 


Switching Features 


MAC switching 


X 


X 


7-15 


Static MAC entries 


X 


X 


7-15 


Standard Spanning Tree Protocol 


X 


X 


7-15 


Additional STP enhancements 


X 


X 


7-16 


Trunk groups 


X 


X 


7-16 


Port-based Virtual LANs (VLANs) 


X 


X 


7-16 


MAC filters 


X 


X 


7-17 


Address-lock filters 




X 


7-17 
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Table 7.2: HP Software Features (Continued) 



Feature 


Supported on- 


See page... 




Routing 
switch 


Switch 




Dynamic Host Configuration Protocol (DHCP) Assist 




X 
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IP Multicast Containment 


X 


X 
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Layer 3 Switching Features 


Protocol-based Virtual LANs (VLANs) 


X 


X 
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Layer 3 Routing Features 
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IP route and protocol-port filters 


X 
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IP/RIP filters 


X 




7-21 


Policy-based routing (PBR) 


X 




7-21 


Network Address Translation (NAT) 


X 




7-22 


IPX routing 


X 




7-22 


IPX route and socket filters 


X 




7-22 


IPX/RIP and IPX/SAP filters 


X 




7-22 


AppleTalk routing 


X 




7-23 


AppleTalk zone and network filters 


X 




7-23 


IP Multicast Routing (PIM and DVMRP) 


X 




7-23 


Redistribution filters 


X 




7-23 


User Datagram Protocol (UDP) Helper 


X 




7-24 


Layer 4 Switching Features 


TCP/UDP access policies 


X 


X 


7-24 


Load Balancing and Redundancy Features 


Virtual Router Redundancy Protocol (VRRP) 


X 




7-24 


VRRP Extended (VRRPE) 


X 




7-25 


Server Redundancy Protocol (SRP) 


X 
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Showing System Defaults 

You can display the defaults for system parameters using the following method. 
USING THE CLI 

To display the default information, enter the following command from any level of the CLI: 
show default [values] 

If you specify "default" but not the optional "values", the default states for parameters that can either be enabled or 
disabled are displayed. If you also specify "values", the default values and configurable ranges for various tables 
are displayed. 

Here is an example of the information displayed by the show default command on an HP 9308M routing switch. 

HP9300# show default 



spanning tree disabled 
auto sense port speed 
no username assigned 
system traps enabled 
rip disabled 

when ip routing enabled 
ip irdp enabled 
ip rarp enabled 
dvmrp disabled 
vrrp disabled 

when rip enabled : 
rip type:v2 only 

ipx disabled 



port untagged 

no password assigned 

sntp disabled 

ospf disabled 



ip load- sharing enabled 
ip beast forward enabled 
pim/dm disabled 
srp disabled 



rip poison rev enabled 



port flow control on 
boot sys flash primary 
radius disabled 
bgp disabled 



ip proxy arp enabled 



appletalk disabled 
See the Command Line Interface Reference for additional examples. 
USING THE WEB MANAGEMENT INTERFACE 

You cannot display the system defaults using the Web management interface. 



NOTE: You can display and configure the sizes of various tables such as the MAC, ARP, and IP tables by 
selecting the Parameters link from the System configuration sheet. See "Displaying and Modifying System 
Parameter Default Settings" on page 9-58. 



Access and Management Features 

The following sections describe the access and management features listed in Table 7.1 on page 7-1 . 

Secure Shell (SSH) 

Secure Shell (SSH) is a mechanism for allowing secure remote access to an HP device. SSH provides a function 
similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client 
program, just as they can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, 
encrypted connection to the device. 

SSH supports Arcfour, IDEA, Blowfish, DES (56-bit) and Triple DES (168-bit) data encryption methods. Nine 
levels of data compression are available. You can configure your SSH client to use any one of these data 
compression levels when connecting to an HP device. 

HP's implementation of SSH supports two kinds of user authentication: 
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• RSA challenge-response authentication, where a collection of public keys are stored on the device. Only 
clients with a private key that corresponds to one of the stored public keys can gain access to the device 
using SSH. 

• Password authentication, where users attempting to gain access to the device using an SSH client are 
authenticated with passwords stored on the device or on a TACACS/TACACS+ or RADIUS server 

HP devices also support Secure Copy (SCP) for securely transferring files between an HP device and SCP- 
enabled remote hosts. 



NOTE: SSH is supported on the following HP devices: HP 9308M and HP 9304M. 



NOTE: HP's implementation of SSH supports SSH version 1 only. All references to SSH in this document are to 
SSH version 1 . 



For configuration and user information, see "Configuring Secure Shell" on page 4-1. 

Management Interfaces 

HP ProCurve devices can be managed using any of the following interfaces: 

• Command Line Interface (CLI) - a text-based interface accessible through a direct serial connection or a 
Telnet session. 

• Web management interface - A GUI-based management interface accessible through an HTTP (web 
browser) connection. 

The CLI and Web management interfaces come standard on HP ProCurve switches and routing switches. 
Command Line Interface (CLI) 

The CLI comes standard on all HP ProCurve devices. The CLI is a text-based operator interface that allows you 
to configure a system with a PC or terminal without special software. 

Up to five read-only Telnet sessions can operate concurrently on either an HP switch or routing switch. Only one 
read-write Telnet session is allowed at a time. 

Web Management Interface 

A Web management interface is supported on web browsers Netscape Navigator™ versions 2.0 or later, and 
Microsoft Internet Explorer™ versions 3.0 or later. No application software is required. The Web management 
interface comes standard on all switches and routing switches. 

To use the Web management interface, open a web browser and enter the IP address of the HP device in the 
Location or Address field. The web browser contacts the HP device and displays a login dialog, as shown in 
Figure 7.1 . 



Enter Network Password 



ifsS^ Please type your user name ar 
Site: 209.157.22.1 
Realm Web Manager 

User Name |set 
Password | KKKKKKK 
|~~ Save this password in your 



Figure 7.1 Web Management interface login dialog 
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• For read-write access, enter "set" in the User Name field and a read-write community string that you have 
configured on the device in the Password field, as shown in Figure 7.1 . (For security, the software displays 
asterisks when you type your password.) 

• For read-only access, enter "get" in the User Name field and "public" (the default read-only community string) 
or a read-only community string you have configured in the Password field. 

NOTE: The software does not contain a default read-write SNMP community string. You must configure a read- 
write string before you can make configuration changes using the Web management interface. See "Adding an 
SNMP Community String" on page 3-14. 

On the HP 9304M or HP 9308M, if you have configured a greeting banner (using the banner motd CLI 
command), a panel with the greeting is displayed first. Click on the Login link to proceed to the Login dialog. Here 
is an example of the greeting panel: 



|7^| HEWLETT' ProCurve 9308 
mfjKM PACKARD HP J4138A 

Welcome to HP Pro Curve! 



Figure 7.2 shows an example of the Web management display of an HP 9304M or HP 9308M routing switch. 



HP Device Management - Netscape 



File Edit View Go Communicator Help 



mm 



] Bookmarks ,/ Location: |htip://209.157.22.241,' 



flgr What's Related jjj 



Back 



Reload 



Si 

Search NetScape 



Print 



Security 



£ Instant Message [j§ WebMail gj Contact [§ People [j§ Yellow Pages [j§ Download |§) Find Sites £j Channels 



HP9308 
M Monitor 
M Configure 
+ _l Command 



Document: Done 



Identification 
IP Address 



NTP 



Clock 



Module 



Max-Parameter 



Management 



Policy Based VLANs □ Port □ L3 Protocol 

Spanning Tree ff Disable C Enable [~~ Single W Fast 

QOS C Strict S Weighted 

L2 Switching (~ Disable s Enable 

OSFF IE Disable C Enable 

HIP S Disable O Enable 

IPX 8 Disable C Enable 

DVMHP « Disable C Enable 

PIM « Disable <~ Enable 

SEP E Disable <~ Enable 

APPLEIAIK E Disable <~ Enable 

EOF 6 Disable C Enable Local AS |° 

VRHP 8 Disable C Enable 
Advance... Apply | Reset | 



I'- i -|| - i i |1 , _ j HI -. „i,- r, . -l-ll''! ,l -|| TTrl'l 



Figure 7.2 Example of Web management interface 



The configuration and management procedures in this guide include instructions for the Web management 
interface. 
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• To display general system information, click on a blank area of the device's management module. If the 
chassis display is disabled as shown in this example, click on the object shown in the chassis window. The 
object contains the product name. 

• To display information about a specific port, click on the port on the front panel display. (This option is 
available only when you enable display of the front panel. See the note below.) 

• Click on the links in the left-hand frame or on the bottom of the display to view statistics or to view and change 
configuration parameters. 



NOTE: The Web management interface automatically refreshes the system information at regular intervals, 
including the link LEDs for the ports. To streamline performance, display of the device's front panel is disabled by 
default. To enable front panel display, select the Preference link, select the Enable radio button for Front panel 
display, then click Apply. Select Reload or Refresh on your browser's tool bar to immediately see the effect of the 
change. 



Multiple Levels of Access Control 

HP switches and routing switches provide multiple levels of access to allow system administrators complete 
configuration control while protecting the system from unauthorized changes. 

CLI Access 

Three levels of password protection offer a range of access points for various users within the network. The three 
levels are: 

• Super user- This setting allows a user unlimited access to all levels of the CLI. This level is generally 
reserved for system administrators within the network. The super user is also the only one who can assign a 
password access level to another user. 

• Configure port- This level allows a user to configure interface parameters only and to view any show 
command displays. 

• Read only- A user at this password level will only be able to view show command displays within the CLI. 
No configuration is allowed at this password level. 

Web Management Interface Access 

By default, access through the Web management interface is controlled by passwords associated with the "get" 
(read-only) and "set" (read-write) SNMP community strings. The default password for "get" is "public". There is 
not default password for "set". You can configure SNMP community strings using CLI commands. See 
"Establishing SNMP Community Strings" on page 3-13. You also can use locally configured user names and 
passwords to control access through the Web management interface. See "Local Access Control" on page 7-9. 

Local Access Control 

You can configure up to 16 user names and passwords to control access to an HP switch or routing switch. The 
passwords and user names can be used for accessing devices using the CLI and the Web management interface. 
For each management platform, you configure an authentication-method list that specifies sources the device can 
consult to authenticate an access attempt and the order in which to consult the sources. For example, you can 
configure an authentication-method list to authenticate CLI management access based on a local access list first 
(user names and passwords you have configured), then a RADIUS server, then the enable passwords. 

See "Setting Up Local User Accounts" on page 3-11 and "Configuring Authentication-Method Lists" on page 3-44. 

TACACS and TACACS+ Security 

You can secure CLI access to the switch or routing switch by configuring the device to consult a Terminal Access 
Controller Access Control System (TACACS) or TACACS+ server to authenticate user names and passwords. 
The software supports authentication, authorization, and accounting (AAA). See "Configuring TACACS/ 
TACACS+ Security" on page 3-16. 
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RADIUS Security 

You can further secure CLI access to the switch or routing switch by configuring the device to consult a Remote 
Access Dial In User Service (RADIUS) server to authenticate user names and passwords. The software supports 
authentication, authorization, and accounting (AAA). See "Configuring RADIUS Security" on page 3-31. 

Access Control Lists (ACLs) 

Access control lists (ACLs) enable you to permit or deny packets based on source and destination IP address, 
IP protocol information, or TCP or UDP protocol information. You can configure the following types of ACLs: 

• Standard - Permits or denies packets based on source IP address. ACL IDs 1 - 99 are for standard ACLs. 

• Extended - Permits or denies packets based on source and destination IP address and also based on IP 
protocol information. ACL IDs 100-199 are for extended ACLs. 

In addition, you can use ACLs to control CLI and Web access to the device. You also can use ACLs for Policy- 
Based Routing (PBR). 

See the "Using Access Control Lists (ACLs)" chapter in the Advanced Configuration and Management Guide. 

Protection Against Denial of Service Attacks 

In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation. HP 
devices include measures for defending against the following common types of DoS attacks: 

• Smurf attacks - A Smurf attack is a kind of DoS attack where an attacker causes a victim to be flooded with 
ICMP echo (Ping) replies sent from another network. 

TCP SYN attacks - TCP SYN attacks exploit the process of how TCP connections are established in order to 
disrupt normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN packet 
to the destination host. The destination host responds with a SYN ACK packet, and the connecting host 
sends back an ACK packet. This process, known as a "TCP three-way handshake", establishes the TCP 
connection. 

See "Protecting Against Denial of Service Attacks" on page B-1 . 

Dynamic Configuration 

Dynamic configuration enables you to make configuration changes without rebooting the system. Many of the 
configuration changes you can make to HP switches and routing switches do not require a reboot and take effect 
immediately. You can make the changes without causing network outages. The individual configuration chapters 
describing each feature area (chapters 7-18) list the parameters that can be dynamically changed. 

Soft Reboot 

When you upgrade the software image on an HP switch or routing switch, you do not need to power down the 
system to use the new software. You can boot the new software immediately from the primary flash, secondary 
flash, a TFTP server, or a BootP server. 

You also can use this feature to test new versions of flash code before replacing the previous flash image. 

For more details on the boot commands and on copying software to and from HP switches and routing switches, 
refer to "Updating Software Images and Configuration Files" on page 6-1 . 

Scheduled System Reload 

Although the dynamic configuration feature (see "Dynamic Configuration" on page 7-10) allows many parameter 
changes to take effect immediately without a system reset, other parameters do require a system reset. 

To place these parameters into effect, you must save the configuration changes to the configuration file, then 
reload the system. The management interfaces provide an option to immediately reset the system. Alternatively, 
you can use the scheduled system reload feature to configure the system to reload its flash code at a specific time 
(based on the system clock or SNTP time) or after a specific amount of time has passed. 
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See "Scheduling a System Reload" on page 6-9. 

Telnet 

As described in "Management Interfaces" on page 7-7, HP devices allow you to access the CLI through a Telnet 
connection. To establish the Telnet connection, you need the following: 

• An IP address on the HP device. See "Assign a Permanent IP Address" on page 2-13 for information. 

• A third-party terminal emulation application installed on a PC or workstation that has network access to the 
HP device. 

Trivial File Transfer Protocol (TFTP) 

All HP devices allow you to use TFTP to copy files to and from the flash memory modules on the management 
module. You can use TFTP to perform the following operations: 

Upgrade boot or flash code. 

• Archive boot or flash code or a configuration file on a TFTP server. 

• Load the system using flash code and a configuration file stored on a TFTP server. (This occurs as part of the 
BootP or DHCP process.) 



NOTE: Certain boot upgrades may require you to install new firmware. Contact your reseller or Hewlett-Packard 
for information. 



See "Updating Software Images and Configuration Files" on page 6-1 for more information about using TFTP on 
HP devices. 

Simple Network Time Protocol (SNTP) 

HP devices can use either of two time and date sources: 

• An on-board system clock. 

• An external SNTP server. The server can be on the same sub-net or a different sub-net. 

If you have access to an SNTP server, Hewlett-Packard recommends that you use the SNTP server as the time 
and date source. Using an SNTP server ensures that all devices that use the SNTP server have a consistent time 
and date. In addition, the settings on the system time counter are not retained across power cycles. The counter 
has to be reset following each power-up. If the device is configured to reference an SNTP server, the device 
automatically sets its time counter according to the SNTP server after a system reset. 

Regardless of the time and date source you use, you can configure the time zone of the time and date. You also 
can enable daylight savings time, which is disabled by default. 

See "Setting the System Clock" on page 9-12 for more information about setting the time and date. 

Domain Name Server (DNS) Resolver 

The DNS Resolver feature allows you to use just a host name rather than a fully-qualified domain name when you 
use Telnet, ping, and trace-route commands. To configure the feature, you specify the domain name, then specify 
the IP addresses of up to four DNS servers that have authority for the domain. 

For example, if you define the domain "newyork.com" on an HP device, you can initiate a ping to a host on that 
domain by specifying only the host name in the command. You do not need to specify the host's entire domain 
name. 

As an example, here are two CLI commands. The first command uses only the host name. The second 
command uses the fully-qualified domain name for the host. 

HP9300# ping nycOl 

HP9300# ping nyc01.newyork.com 
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See the "Configuring IP" chapter in the Advanced Configuration and Management Guide for information. 

SNMPv2c Support 

HP devices support SNMPv2c, including support for GetBulk requests. The SNMPv2c support is enabled by 
default and cannot be disabled. Thus, you do not need to perform any configuration on the device to use the 
feature. SNMPvl also is enabled by default. 



NOTE: You can disable all SNMP access to the device if needed. See "Disabling Specific Access Methods" on 
page 3-7. 



To use this enhancement, you need an SNMP management application that is capable of sending GetBulk 
requests. See the documentation for your application for more information. 



NOTE: The SNMPv2c support does not include support of SNMPv2c traps. 



Remote Monitoring (RMON) Statistics 

All HP devices include an RMON agent that supports the following groups. The group numbers come from the 
RMON specification (RFC 1757). 

• Statistics (RMON Group 1) - Current packet and error statistics for each port. 

• History (RMON Group 2) - Samplings of packet and error statistics captured at regular intervals. You can 
configure the sampling rate and the number of "buckets" in DRAM for storing the samplings. 

Alarms (RMON Group 3) - A list of alarm events, which indicate that a threshold level for a specific part of the 
device has been exceeded. You can select the system elements you want RMON to monitor and the 
thresholds for triggering the alarms. 

• Events (RMON Group 9) - A log of system events (such as port-state change to up or down, and so on) and 
alarms. RMON Group 9 also specifies the action to be taken if an alarm threshold is exceeded. 

See the "Network Monitoring" appendix in the Advanced Configuration and Management Guide for information 
about setting and displaying the RMON statistics. 

Syslog Logging 

In addition to the event and alarm logs provided by RMON, HP devices contain a Syslog agent that can write log 
messages to a local buffer and optionally to a third-party SyslogD server. The Syslog feature can write messages 
at the following severity levels: 

• Emergencies 
Alerts 
Critical 

• Errors 

• Warnings 

• Notifications 

• Informational 

• Debugging 

The device automatically writes the Syslog messages to a local buffer. If you specify the IP address or name of a 
SyslogD server, the device also writes the messages to the SyslogD server. The default facility for messages 
written to the server is "user". You can change the facility if needed. You also can change the number of entries 
that can be stored in the local buffer. The default is 50. HP devices do not have a limit to the number of messages 
that can be logged on a remote SyslogD server. 



7-12 



Software Overview 



NOTE: You can specify only one facility. 



See "Configuring the Syslog Service" on page 9-14 for configuration information. 

Ping and Traceroute Facilities 

After you configure an IP address for the device, you can test the device's network connections using the following 
facilities: 

Ping - You can send a test packet to a host's IP address or host name. If the packet reaches the host, the 
host generally sends a reply packet to let you know the host received your ping. If the host does not reply 
within a specified interval, the HP device re-attempts the ping up to a specified number of times. 

Traceroute - On HP switches and routing switches, you can trace the IP path to a host. The traceroute 
feature displays a list of all the intervening router hops the traceroute request traversed to reach the host. 

See "Verifying Proper Connections" on page 2-20. 

Port Mirroring 

The mirror port feature lets you connect a protocol analyzer to a port on an HP device to observe the traffic flowing 
into and out of another port on the same device. To use this feature, you specify the port you want to monitor and 
the port into which you are plugging the protocol analyzer. 



NOTE: Only one mirror port can be active on a switch or routing switch at a time. By default, no mirror port is 
assigned. 



For more information, see "Assigning a Mirror Port and Monitor Ports" on page 9-61. 

Bandwidth Management 

HP's rate limiting enables you to control the amount of bandwidth specific Ethernet traffic uses on specific 
interfaces, by limiting the amount of data the interface receives or forwards for traffic. You can configure the 
following types of rate limiting: 

• Fixed Rate Limiting - Enforces a strict bandwidth limit. The device forwards traffic that is within the limit but 
drops all traffic that exceeds the limit. 

• Adaptive Rate Limiting - Enforces a flexible bandwidth limit that allows for bursts above the limit. You can 
configure Adaptive Rate Limiting to forward, modify the IP precedence of and forward, or drop traffic based on 
whether the traffic is within the limit or exceeds the limit. 

Rate limiting is supported on the HP 9304M and HP 9308M. 

For information, see the "Rate Limiting" chapter in the Advanced Configuration and Management Guide. 

Quality of Service (QoS) 

Quality of Service (QoS) is an extended set of prioritization features that provide greater flexibility and control over 
how traffic is handled as it passes through an HP device. 

Using QoS, you can configure the device's four QoS queues and you can classify packets and assign them to 
specific queues based on the following criteria: 

Incoming port (sometimes called ingress port) 

IP source and destination addresses 

Layer 4 source and destination information (for all IP addresses or specific IP addresses) 
Static MAC entry 
• AppleTalk socket number 
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• Layer 2 port-based VLAN membership 
802. 1q tag 



NOTE: QoS is supported only on the HP 9304M, HP 9308M, and HP 6308M-SX. On the HP HP 6208M-SX, you 
can assign certain types of traffic to the high queue instead of the normal queue, but the other features described 
in this chapter are not supported. 



IP Type of Service (TOS) Mapping 

HP devices that support QoS automatically place incoming IP packets into one of the four priority queues based 
on the value of the first two bits in the Type of Service (TOS) field. Thus, if the TOS field contains a value 
equivalent to the highest priority, the packet is placed into the premium queue (highest priority queue) and given 
premium service throughout the device. 

Selectable Queuing Method 

QoS allows you to select one of the following queueing methods: 
Strict - Higher level queues are preferred over lower level queues 

• Bandwidth - A weighted fair queuing algorithm is used to rotate service among the four queues. The number 
of packets in each queue that are serviced during a single rotation is based on the weights the software 
assigns to the queues. The weights are based on the bandwidth percentages you allocate to each of the 
queues. 

Configurable Bandwidth Percentages 

For weighted fair queuing, you can specify the minimum percentages of bandwidth each queue should receive. 
The device applies a weight to each queue based on normalized values for the percentages you enter. 

802.1 q Priority Mapping 

By default, devices with QoS assign 802. 1q tagged VLAN packets into one of the four QoS queues based on the 
prioritization value in the tag field. You can bias tagged traffic to lower or higher queues by remapping the 
prioritization values. 

Queue Assignment by Traffic Type 

You can assign the following traffic types to one of the four QoS queues: 

• IP source and destination addresses 

Layer 4 source and destination information (for all IP addresses or specific IP addresses) 
Static MAC entry 
AppleTalk socket number 

• Layer 2 port-based VLAN membership 

NOTE: This part of QoS was supported in earlier software releases too, but always used the default queue 
weights. 



In addition, QoS allows you to assign packets to a QoS queue based on the incoming (ingress) port. 

Layer 2 Switching Features 

The following sections describe the switching features listed in Table 7.1 on page 7-1. 
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MAC Switching 

All HP devices support MAC switching. MAC switching enables intelligent wire-speed bridging of Layer 2 
packets. The first time an HP device receives a packet from a given MAC destination, the device makes an entry 
in its Layer 2 cache. The entry consist of the packet's source MAC address and the port on which the device 
received the packet. 

When the device receives a bridge packet destined for the cached address, the device does not need to send the 
packet as a broadcast through all the ports within the broadcast domain. Instead, the device can intelligently send 
the packet only through the port to which the destination device is connected. Thus, even though Layer 2 
domains are typically broadcast domains, MAC switching enhances performance in the domain by reducing the 
amount of broadcast traffic in the domain. 

In addition, HP routing switches that are enabled for MAC switching can switch traffic for routed protocols that are 
not supported in the routing switch software. If IPX routing is disabled on a routing switch, the routing switch can 
switch the IPX packets instead. 

To avoid accumulating stale cache entries, HP devices use an aging mechanism. The aging mechanism removes 
a learned entry from the cache after the entry has remained unused for a specified interval (by default, 300 
seconds). You can change or disable the aging interval. 

See "Configuring Basic Layer 2 Parameters" on page 9-29 for more information about configuring MAC switching 
parameters. 



NOTE: By default, all ports in an HP device belong to a common Layer 2 broadcast domain, VLAN 1 . You can 
configure port-based VLANs (Virtual LANs) to create smaller broadcast domains that use subsets of the device's 
ports. See "Port-Based Virtual LANs (VLANs)" on page 7-16. 



Static MAC Entries 

MAC entries that the HP device learns and caches are subject to an aging time. After a cached entry remains 
unused for the duration of the aging time, the software removes the entry from the Layer 2 cache. If you want 
certain MAC addresses to always be present in the device's Layer 2 address table, you can add them as static 
entries. 

A static MAC entry, like a cached (dynamic) MAC entry, maps a MAC address to the HP device's port attached to 
that device. 

Unlike cached MAC entries, static MAC entries provide the following benefits: 
You can assign a QoS priority to a static MAC entry. 

• You can specify VLAN membership for a static MAC entry. 

• A static entry prevents broadcast storms that can be caused when a server's MAC entry is removed. For 
example, if the server goes down long enough for the server's entry to age out, the HP device sends packets 
addressed to the server as broadcasts until the device relearns the cache entry for the server. 

You can specify port priority (QoS) and VLAN membership (VLAN ID) for the MAC address. On switches, you 
also can specify the device type (router or host) for the entry. 



NOTE: On HP routing switches, you also can create static IP routes, ARP entries, and RARP entries. HP 
switches support only static MAC addresses. 



For more details on configuring static MAC addresses, see "Configuring Static MAC Entries" on page 9-31 . 

Standard Spanning Tree Protocol (STP) 

The Spanning Tree Protocol (STP) is a protocol for detecting and eliminating logical loops in a Layer 2 
broadcast domain. STP is described in the IEEE 802. 1d bridge protocols standard. STP is supported on all HP 
switches and routing switches. 
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STP also ensures that the device uses the most efficient path when multiple paths exist between ports. Moreover, 
if a selected path fails, STP searches for and then establishes an alternate path to prevent or limit retransmission 
of data. 

STP is disabled by default on routing switches but is enabled by default on switches. 

For information about configuring STP, see the "Configuring Spanning Tree Protocol (STP)" chapter in the 
Advanced Configuration and Management Guide. 

STP Enhancements 

HP provides a set of Layer 2 features that extend the operation of standard STP. These features enable you to 
fine tune standard STP and avoid some of its limitations. The STP enhancements include the following features: 

Fast Port Span - By default, devices running Fast Port Span perform Spanning Tree Protocol (STP) 
convergence in four seconds instead of 30 or more seconds for certain ports connected to end stations. 

• Fast Uplink Span - Enhances STP by allowing an HP device with redundant uplinks to quickly resume 
forwarding, in just four seconds. This feature is similar to Fast Port Span but applies to certain inter-switch 
links on HP devices, instead of HP links to end stations. 

• Single-instance STP - Runs a single spanning tree on all ports in the HP device, even if you have already 
configured multiple port-based VLANs on the device. 

• Per VLAN Spanning Tree+ (PVST+) Compatibility - HP devices that are configured to support a separate 
spanning tree in each port-based VLAN can interoperate with Cisco devices that are running Per VLAN 
Spanning Tree (PVST) or PVST+, Cisco proprietary STP implementations that support separate spanning 
trees in each port-based VLAN. 

For more information and configuration procedures, see the "Configuring Spanning Tree Protocol (STP)" chapter 
in the Advanced Configuration and Management Guide. 

Trunk Groups 

A trunk group is a set of ports that provide a high speed link between two HP devices or between an HP device 
and a server. A trunk group can provide a transfer rate of up to 4 Gbps of bi-directional traffic. 

In addition to enabling load sharing of traffic, trunk groups provide redundant, alternate paths for traffic. Thus, if a 
link in a trunk group fails, the device still uses the other links in the trunk group. 

A trunk group can consist of two to four ports, and up to 8 ports on a Chassis device. You can configure up to 64 
trunk groups on a Chassis device, and up to four trunk groups on Fixed-port devices. 

For configuration information, see "Configuring Trunk Groups" on page 9-34. 

Port-Based Virtual LANs (VLANs) 

By default, all ports in an HP device belong to a common Layer 2 broadcast domain. When the device sends a 
Layer 2 broadcast packet, the packet goes out all active ports. A port-based VLAN (Virtual LAN) is a subset of 
ports on an HP device that constitutes a Layer 2 broadcast domain. 

Port-based VLANs can reduce the likelihood and severity of broadcast storms by reducing the number of ports 
affected by a storm. In addition, for devices such as servers that can cause broadcast storms, you can add static 
MAC entries for the devices and assign the static entries to a VLAN. 

By default, each port-based VLAN maintains a separate spanning tree. You can override this behavior and 
configure the device to use the same spanning tree for all VLAN ports if desired. See the "Configuring Spanning 
Tree Protocol (STP)" chapter in the Advanced Configuration and Management Guide. 

For VLAN configuration information, see the "Configuring Virtual LANs (VLANs)" chapter in the Advanced 
Configuration and Management Guide. 
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VLAN Tagging 

HP switches support 802. 1q VLAN tagging. VLAN tagging is a method of identifying a packet as a member of a 
VLAN. VLAN tagging enables you to configure ports on multiple switches into a single VLAN. Using tagged 
VLANs can ease network management and ensures interoperability with other devices. 

When a switch sends a packet that is a member of a tagged VLAN, the switch "tags" the packet to indicate its 
VLAN membership. Other switches that support VLAN tagging recognize the tag and process the packet 
according to its VLAN membership. 

For more information, see the "Configuring Virtual LANs (VLANs)" chapter in the Advanced Configuration and 
Management Guide. 

Super Aggregated VLANs 

You can aggregate multiple VLANs within another VLAN. This feature allows you to construct Layer 2 paths and 
channels for implementing Global Ethernet. This feature is particularly useful for Virtual Private Network (VPN) 
applications ins which you need to provide a private, dedicated Ethernet connection for an individual client to 
transparently reach its sub-net across multiple networks. 

For an application example and configuration information, see the "Configuring Virtual LANs (VLANs)" chapter in 
the Advanced Configuration and Management Guide. 

MAC Filters 

A MAC filter enables you to explicitly permit or deny switching of a Layer 2 packet received by the HP device. 
When the device receives a Layer 2 packet for switching, the device checks the packet's contents against the 
defined MAC filters. If the packet matches a filter, the system takes the action specified in the filter. 

• If the action is permit, the system allows the packet to be switched. 

• If the action is deny, the system immediately drops the packet. 

To ensure security, if a packet does not match any of the MAC filters defined on the system, the system drops the 
packet by default. To configure the system to permit packets by default, you must define the last MAC filter in the 
filter list to allow all packets. 

MAC filters can evaluate packets based on criteria such as source address and mask, destination address and 
mask, and protocol type (IP, ARP, and so on). 

See "Defining MAC Address Filters" on page 9-51 for information on configuring MAC filters. 

Address-Lock Filters 

An address-lock filter restricts the number of MAC addresses that a switch can learn from a specific port. After 
the switch learns the specified number of MAC addresses from the port, it stops learning addresses received on 
that port. In addition, the switch does not accept or forward traffic on the port unless the traffic contains one of the 
source or destination MAC addresses locked for the port. 

Address-lock filters apply only to Layer 2 traffic and do not affect Layer 3 or Layer 4 traffic on the locked ports. 
Unlike addresses learned from other ports, addresses learned from a locked port are not subject to aging. 
See "Locking a Port To Restrict Addresses" on page 9-57 for information on configuring address-lock filters. 

Dynamic Host Configuration Protocol (DHCP) Assist 

DHCP Assist allows an HP switch to assist an HP ProCurve routing switch or third-party router that is performing 
multi-netting on its interfaces as part of its DHCP relay function. DHCP eliminates the need to manually assign IP 
addresses to clients. Instead of each client having a statically configured IP address, clients petition a server for 
IP addresses when the clients are booted. 

DHCP Assist ensures that a DHCP server that manages multiple IP sub-nets can readily recognize the 
requester's IP sub-net, even when that server is not on the client's local LAN segment. The HP switch does this 
by stamping the correct gateway IP address into a DHCP discovery packet on behalf of the routing switch or 
router. 
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NOTE: DHCP assist applies only to HP switches. To configure an HP routing switch to assist DHCP packets, 
use the UDP Helper feature. See "User Datagram Protocol (UDP) Helper" on page 7-24. 

See the "Configuring IP" chapter in the Advanced Configuration and Management Guide for information on 
configuring DHCP assist. 

IP Multicast Containment 

IP multicast containment allows the HP 6208M-SX to limit switching of IP multicast packets to only those ports 
on the switch that are identified as IP multicast members. The HP 6208M-SX can provide IP multicast 
containment in either of the following modes: 

• Passive - The switch listens for Internet Group Membership Protocol (IGMP) packets and forwards them to 
the appropriate ports. 

• Active - The switch actively sends out host queries to identify IP multicast groups on the network and inserts 
this information into the IGMP packets. 

Routers in the network generally handle host queries. Unless your configuration does not contain a router to 
provide this service, use IP multicast containment in the passive mode. 

Layer 3 Switching Features 

The following sections describe the Layer 3 switching features listed in Table 7.1 on page 7-1 . 

Protocol-Based Virtual LANs (VLANs) 

Protocol and sub-net based VLANs increase network performance and provide managers with a high degree of 
network flexibility. 

With sub-net VLANs, devices with a common sub-net can be resident across multiple ports of an HP device. This 
increases performance by providing a greater pool of bandwidth for all devices. 

Protocol VLANs enable managers to easily and transparently group like protocols into a defined VLAN. This 
reduces the number of non-essential broadcasts on other ports and allows a port to belong to multiple VLANs 
without VLAN tagging. 

You can define Layer 3 VLANs for the following protocols: 
IP protocol 
IPX protocol 
IP sub-net 

• IPX network number 

• AppleTalk cable range 

• AppleTalk 

• Decnet 

• NetBIOS 
Others 

For more details on the value and configuration of VLANs, see the "Configuring Virtual LANs (VLANs)" chapter in 
the Advanced Configuration and Management Guide. 

Routing Between VLANs 

In addition to supporting the assignment of VLANs, HP routing switches support routing between VLANs using 
virtual interfaces. 
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VLAN Tagging 

VLAN tagging (802.1 q) extends the boundaries of the VLAN by allowing creation of VLANs that cross switch 
boundaries. This eases network management and ensures interoperability with other devices. See "VLAN 
Tagging" on page 7-17. 

Layer 3 Routing Features 

The following sections describe the Layer 3 routing features listed in Table 7.1 on page 7-1 . HP routing switches 
provide traditional Layer 3 routing at wire speeds with support for the following routing protocols: 

• Internet Protocol (IP) 

• IP Routing Information Protocol (RIP) 
Open Shortest Path First (OSPF) 

• Internet Packet Exchange (IPX) 

• IPX RIP 

• IPX Service Advertisement Protocol (SAP) 
AppleTalk 

The following sections describe the HP routing switch support for the protocols listed above and the additional 
routing features. 

Multi-Netting 

Multi-netting allows you to assign multiple IP or IPX protocol interfaces to the same physical port on the switch or 
routing switch. HP routing switches support multi-netting for IP and IPX. 

Multiple IP Sub-nets per Interface 

Up to 64 IP sub-nets can be defined per port. IP/RIP and OSPF can be assigned to these multi-homed interfaces. 

Multiple IPX Frame Type Support per Interface 

Up to four different IPX network numbers and frame encapsulation types can be defined for each IPX interface. 
You can define and receive traffic from four separate IPX networks on a single interface. Each of the networks 
must have a distinct network number and one of the following encapsulation types: Ethernet SNAP, Ethernet 
802.2, Ethernet 802.3, and Ethernet II. 

Multi-Port Subnets (Integrated Switch-Routing) 

Integrated Switch Routing (ISR) allows an HP routing switch to assign and support VLANs on its interfaces as 
would a switch. In addition, this feature provides routing between its VLANs. This combined logical switch and 
router operation within a single device is what defines a routing switch as an Integrated Switch- Router, as shown 
in Figure 7.3. 
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Layer 3 Switch 



Layer 2 Switch 



Figure 7.3 Logical representation of ISR within HP routing switches 

Routing between the VLANs is performed without dedicating physical ports by using virtual interfaces. These 
virtual interfaces serve as a link between the configured VLANs and the routing core of the HP routing switch. 

The ISR architecture provides the platform for support of policy-based VLANs within HP routing switches. 



IP/RIP Routing 

IP is the most widely used networking protocol on the Internet and in enterprise LANs. The HP implementation of 
IP adheres to the IP-related RFCs listed in "Software Specifications" on page B-1 . In addition, features such as 
multi-netting, integrated switch-routing, and VLANs (described in the sections above) enhance the IP support. 

HP routing switches support the following intra-domain routing protocols: 

• RIP 

• OSPF 



NOTE: An intra-domain protocol is a protocol that is used by routers under common administrative control. The 
term "domain", used in this context, is synonymous with "autonomous system". In contrast, Border Gateway 
Protocol (BGP) is an example of an inter-domain protocol. BGP is used by routers in one domain to exchange 
information with routers in other domains. 



RIP 

RIP is a distance-vector protocol. It uses a cost value associated with each route to express the preferability of 
that route. Generally, the cost is equivalent to the number of hops in the route, but HP devices allow you to bias 
the preferability of a route by changing its cost. You also can configure the routing switch to prefer one route over 
another equal cost route. 

By default, HP routing switches using RIP propagate route information to other RIP routers by sending route 
updates every 30 seconds. You can change this update interval if needed. 

You can enable HP routing switches to use RIP version 1 , RIP version 1 with version 2 compatibility, or RIP 
version 2 to manage IP routes. The default is version 2. 

See the "Configuring IP" and "Configuring RIP" chapters in the Advanced Configuration and Management Guide 
for information. 

Open Shortest Path First (OSPF) Routing 

OSPF is a link-state routing protocol. Each router that runs OSPF uses information from its own interfaces and 
from other OSPF routers to build a topological map of the network. OSPF routers exchange link-state databases 
and then periodically send link-state advertisements to notify other routers of route changes. 
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HP routing switches are configured to be compliant with RFC 1583 OSPF V2 (RFC 1583) by default. You also can 
configure HP routing switches to run the latest OPSF standard, RFC 2178. 

See the "Configuring OSPF" chapter in the Advanced Configuration and Management Guide for information. 

Border Gateway Protocol (BGP4) Routing 

BGP4 allows you to configure HP routing switches to route traffic between Autonomous Systems (ASs) and to 
maintain loop-free routing. BGP allows the routers within the AS to communicate even when those routers are 
running different Interior Gateway Protocols (IGPs) such as RIP and OSPF. 

The HP implementation of BGP4 supports many advanced BGP4 features including peer groups, confederations, 
route reflection, and dynamic route refresh. 

See the "Configuring BGP4" chapter in the Advanced Configuration and Management Guide for information. 

IP Access and QoS Filters 

You can control the IP traffic that the HP routing switch receives and forwards by defining IP access policies. An 
IP access policy can filter on source IP address, destination IP address, UDP port number, or TCP port number. 
For example, if you want to permit Telnet access only to specific IP addresses, you can create permit policies for 
those IP addresses. 

You also can use IP access policies to specify the Quality of Service (QoS) packets that certain Layer 4 session 
should receive. A Layer 4 session is a combination of the source and destination addresses and the TCP or UDP 
port number. For more information about QoS, see the "Quality of Service (QoS)" chapter in the Advanced 
Configuration and Management Guide. 

You assign policies to individual ports by defining access policy groups. An access policy group identifies a list of 
policies and a set of ports to which the policies are applied. Access policies are applied in the order you list them 
in the access policy group. 

IP Route Filters 

You can use IP route filters to control the following: 

• Routes learned (cached) by the routing switch. IP route filters applied to inbound traffic affect the routes that 
the routing switch learns. 

Routes advertised by the routing switch. Filters assigned to outbound traffic affect the routes that the routing 
switch advertises. 

You specify whether the filter is applied to incoming or outgoing traffic by adding individual filters to filter groups 
and assigning the groups to specific ports. 

For details on RIP filters and how to configure them, see the "Configuring RIP" chapter in the Advanced 
Configuration and Management Guide. 

You can control the RIP neighbors from which the routing switch learns RIP updates by defining RIP neighbor 
filters. Neighbor filters either permit or deny RIP updates from the specified neighbor. 

Policy-Based Routing 

Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets 
based on their source IP address. 

You can configure the routing switch to perform the following types of PBR based on a packet's Layer 3 and Layer 
4 information: 

• Select the next-hop gateway. 

• Specify the default next-hop IP address if there is no explicit next-hop selection for the packet. 

• Send the packet to the null interface (nullO). 
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HP's PBR routing is based on standard and extended ACLs and route-maps. The ACLs classify the traffic. Route 
maps that match on the ACLs set routing attributes for the traffic. HP's implementation of PBR uses high 
performance switching algorithms including route caches and route tables. 

For information, see the "Using Access Control Lists (ACLs)" chapter in the Advanced Configuration and 
Management Guide. 

Network Address Translation 

Network Address Translation (NAT) enables private IP networks that use nonregistered IP addresses to connect 
to the Internet. Configure NAT on the HP device at the border of an inside network and an outside network (such 
as the Internet). NAT translates the internal local addresses to globally unique IP addresses before sending 
packets to the outside network. NAT also allows a more graceful renumbering strategy for organizations that are 
changing service providers or voluntarily renumbering into Classless Interdomain Routing (CIDR) blocks. 

Use NAT to translate your private (inside) IP addresses into globally unique (outside) IP addresses when 
communicating outside of your network. 



NOTE: This feature is supported on all chassis routing switches with Redundant Management modules. It is not 
available on HP fixed-port devices. 



For information, see the "Network Address Translation" chapter in the Advanced Configuration and Management 
Guide. 

IPX Routing 

HP routing switches support the Internet Packet Exchange (IPX) protocol created by Novell™. IPX is based on a 
client-server networking architecture. 

The Routing Information Protocol (RIP) and the Service Advertisement Protocol (SAP) are two key components of 
Novell NetWare and its IPX protocol suite. By default, Novell NetWare versions 3.x and 4.x broadcast RIP and 
SAP updates at 60 second intervals. 

Up to four different IPX network numbers and frame encapsulation types can be defined for each IPX interface on 
an HP routing switch. Therefore, you can define and receive traffic from four separate IPX networks on a single 
interface. Each of the networks must have a distinct network number and encapsulation type (Ethernet SNAP, 
Ethernet 802.2, Ethernet 802.3 and Ethernet II). 

IPX Forward Filters 

You can define IPX filters to control client access to servers. For example, if you want to restrict access to a print 
server to specific users, you can define a filter group containing filters that check for the source IPX addresses and 
nodes of those users. The filter explicitly permits users that match a filter to access the print server specified by 
the destination address, destination node, and socket number of the print server. 

For details on IPX filtering and how to configure the filters, see the "Configuring IPX" chapter in the Advanced 
Configuration and Management Guide. 

IPX/RIP and IPX/SAP Filters 

In addition to controlling client access to servers, you can control the following: 

• Client access to other IPX networks. You control client access to other IPX networks by filtering IPX/RIP 
routes received or advertised by the HP routing switch. 

• Client access to services. You control service by filtering IPX/SAP service advertisements sent by the HP 
routing switch. To do so, configure SAP access lists. 

For information on configuring IPX/RIP and IPX/SAP filters and ACLs, see the "Configuring IPX" chapter in the 
Advanced Configuration and Management Guide. 
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AppleTalk Routing 

HP routing switches support Phase II AppleTalk routing. HP's implementation supports all the following AppleTalk 
protocols: 

EtherTalk Link Access Protocol (ELAP) - AppleTalk physical layer protocol 

• Datagram Delivery Protocol (DDP) - AppleTalk equivalent of IP/UDP 

• AppleTalk Echo Protocol (AEP) - AppleTalk equivalent of IP/ICMP 
AppleTalk Transaction Protocol (ATP) - AppleTalk equivalent of IP/TCP 



NOTE: A sub-set of ATP is implemented to support ZIP on HP routing switches. 



Name Binding Protocol (NBP) - AppleTalk equivalent of IP/DNS 

AppleTalk Zone and Network Filters 

Zone filters and network filters enable you to control access to AppleTalk networks and individual nodes: 
Zone filters - Explicitly permit or deny access to specific zones on specific ports 
Network filters - Explicitly permit or deny access to specific networks on specific ports 

IP Multicast Routing (PIM and DVMRP) 

Multicast protocols allow a group or channel to be accessed over different networks by multiple stations (clients) 
for the receipt and transmit of multicast routing. Distribution of stock quotes, video transmissions, such as news 
services or remote classrooms and video conferencing, are all examples of multicast routing. 

HP routing switches support the following IP multicast protocols: 

Distance Vector Multicast Routing Protocol (DVMRP) - a broadcast and pruning multicast protocol that 
delivers IP multicast datagrams to its intended receivers. 

• Internet Group Membership Protocol (IGMP) - a protocol used by DVMRP routers to advertise multicast 
groups to the routers that are distributing the multicasts. 

• Protocol Independent Multicast (PIM) protocol - an alternative to DVMRP that uses the routing switch's IP 
route table rather than maintaining a separate multicast route table as DVMRP does. Dense and Sparse 
modes are supported. 

• The Multicast Source Discovery Protocol (MSDP) - a protocol used by PIM Sparse routers to exchange 
routing information for PIM Sparse multicast groups across PIM Sparse domains. Routers running MSDP 
can discover PIM Sparse sources that are in other PIM Sparse domains. PIM Sparse routers use MSDP to 
register PIM Sparse multicast sources in a domain with the Rendezvous Point (RP) for that domain. 

DVMRP and PIM can concurrently operate on different ports of an HP routing switch. 

For both versions of IP multicast, HP routing switches support IP tunneling. IP tunneling allows HP routing 
switches that are performing IP multicast to send multicast traffic through routers that do not support either PIM or 
DVMRP multicasting. 

For more details on configuring the HP routing switches for IP multicast, see the "Configuring IP Multicast 
Protocols" chapter in the Advanced Configuration and Management Guide. 

Redistribution Filters 

HP routing switches allow you to configure parameters for redistributing routes among the following routing 
protocols: 

• IP/RIP 

• IP/OSPF 

• IP/BGP4 
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For example, an HP routing switch running OSPF and RIP can pass a route learned through RIP to OSPF. The 
router associates a metric and other parameters with a route when the router redistributes the route to other 
protocols. You can modify these parameters and permit or deny routes from being distributed using route 
distribution filters. 

You define the filters for each of the protocols that redistributes the routes. For example, if you want to control 
how the routing switch redistributes routes learned through RIP to OSPF, you use IP/RIP commands or Web 
management screens to define the filters. 

User Datagram Protocol (UDP) Helper 

HP routing switches can relay UDP packets to their destination for a specific application even when the 
destination server is not on the local LAN segment. For example, an HP routing switch can relay UDP packets for 
the following applications to their destination nodes: bootps, domain, and tftp. This feature is especially useful for 
configuring the HP routing switch to help DHCP packets reach their intended server and client. 

For details on UDP helper and its configuration, see the "Configuring IP" chapter in the Advanced Configuration 
and Management Guide. 



NOTE: UDP Helper is supported only on HP routing switches. To configure an HP switch to help BootP/DHCP 
packets, use the DHCP Assist feature. See the "Configuring IP" chapter in the Advanced Configuration and 
Management Guide. 



TCP/UDP Access Policies 

TCP/UDP access policies (sometimes called session filters) allow you to filter packets for specific Layer 4 
sessions. For example, you can use session filters to prohibit specific users from using TCP port 80 (HTTP for 
web traffic). All HP devices support TCP/UDP access policies. For syntax information, see the "Policies and 
Filters" chapter in the Advanced Configuration and Management Guide. 

Redundancy Features 

The following sections describe the redundancy features listed in Table 7.1 on page 7-1 . 

Virtual Router Redundancy Protocol (VRRP) 

The Virtual Router Redundancy Protocol (VRRP), described in RFC 2338, allows routing switches and even 
third-party routers to be configured together as a virtual router. Generally, a host configured to use a default router 
will lose its connection to the rest of the network if the default router becomes unavailable. However, if you 
configure several routers as a VRRP virtual router, and then use the virtual router as the default router for the 
hosts, the hosts receive uninterrupted service even if one of the routers within the virtual router becomes 
unavailable. 

One of the routers in the virtual router is the "active" or "master" router and handles the traffic sent to the virtual 
router's MAC address or IP address. The other routers remain in standby mode while the active router is 
functioning. 

If the active router becomes unavailable, one of the standby routers becomes the new active router. The new 
active router uses the same virtual MAC address and virtual IP address as the previous master, so hosts are 
unaware that a router has become unavailable. As far as the hosts are concerned, the MAC address and IP 
address of the virtual router is still alive. You can fix the link or router problem off-line while network service 
continues uninterrupted. 

In addition to the standard redundancy support described in RFC 2338, HP's implementation of VRRP enables 
you to track the status of both the in and out ports for host traffic. The track port feature ensures that if an out port 
goes down, even if the in port is still up, VRRP lowers the router priority and thus causes a renegotiation for the 
Master. 

VRRPE is an HP enhancement to standard VRRP. 
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For more details on VRRP and its configuration, see the "Configuring VRRP and VRRPE" chapter in the 
Advanced Configuration and Management Guide. 

VRRP Extended (VRRP) 

VRRPE is an HP protocol that provides the benefits of VRRP without the limitations. In fact, VRRPE combines the 
benefits of HP's VRRP and SRP. VRRPE is unlike VRRP and is like SRP in the following ways: 

• There is no "Owner" router. You do not need to use an IP address configured on one of the routing switches 
as the virtual router ID (VRID), which is the address you are backing up for redundancy. The VRID is 
independent of the IP interfaces configured in the routing switches. As a result, the protocol does not have an 
"Owner" as VRRP does. 

• There is no restriction on which router can be the default master router. In VRRP, the "Owner" (the routing 
switch on which the IP interface that is used for the VRID is configured) must be the default Master. 

HP routing switches configured for VRRPE can interoperate only with other HP routing switches. 

For more details on VRRP and its configuration, see the "Configuring VRRP and VRRPE" chapter in the 
Advanced Configuration and Management Guide. 

Server Redundancy Protocol (SRP) 

In addition to VRRP, HP routing switches continue to provide support for redundant router configurations through 
HP's proprietary protocol, Standby Router Protocol (SRP). SRP provides many of the same features as HP's 
implementation of VRRP, but SRP can be used only with HP routing switches. 

HP routing switch software continues to provide SRP support for backward compatibility on routing switches that 
are already configured to use the protocol. If you have routing switches that are running SRP, you do not need to 
reconfigure them for VRRP. However, if you are planning to configure your HP routing switches to use a 
redundancy protocol, Hewlett-Packard recommends that you use VRRP. Using VRRP allows you to include third- 
party routers in the virtual router. 



NOTE: Hewlett-Packard recommends that you do not use VRRP and SRP on the same device. 



NOTE: The virtual interface feature might not be supported on third-party routers. See the documentation for 
those routers for information. 



For more details on SRP and its configuration, see the "Configuring SRP" chapter in the Advanced Configuration 
and Management Guide. 
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Chapter 8 
Hardware Overview 



This chapter provides a hardware overview of the HP 9308M, HP 9304M, and HP 6308M-SX routing switches and 
the HP 6208M-SX switch. 

For information about specific hardware standards and specifications, see the "Hardware Specifications" 
appendix in the Advanced Configuration and Management Guide. 

• For a detailed summary and description of software features, see "Software Overview" on page 7-1 . 

The HP 6208M-SX switch provides support for Layer 2 switching within one platform. The HP 6308M-SX routing 
switch provides both Layer 2 switching and Layer 3 routing in a single device. 

The HP 9308M and HP 9308M also provide Layer 2 switching and Layer 3 routing in a single device and support 
hardware-based Layer 2/3/4 switching and multi-protocol routing on a single, chassis-based platform. 

Chassis Devices 

The HP 9308M and HP 9304M routing switches provide second generation, hardware-based Layer 2/3/4 
switching and multi-protocol routing on a single, chassis-based platform, as shown in Figure 8.1 and Figure 8.14, 
respectively. 

Enterprises and Internet service providers (ISPs) can use these routing switches to build very high-performance, 
end-to-end packet networks that provide the Quality of Service (QoS) needed to support delay-sensitive traffic. 
Designed for use in collapsed backbone data centers, server farms, and wiring closets, the HP 9308M and HP 
9304M deliver high-density Gigabit Ethernet ports and 10/100 Mbps ports and provides performance of up to 
100,000,000 packets per second. 

Chassis Modules 

Each slot of the HP 9308M and HP 9304M can be populated by either a switch module or a management module. 
All non-management modules (those without a serial management port), are referred to as switch modules. 

Each system requires at least one management module. Management modules are available with 1 0/1 00 Mbps, 
100 Mbps fiber ports or Gigabit Ethernet ports and provide a serial port for console access. Management 
modules also provide additional port density to the system. The management module can be installed within any 
slot. 

For added redundancy and reliability, you can install two Redundant Management modules in a Chassis device. 
One of the Redundant Management modules is the active module while the other waits in standby mode to 
assume operation if the active module becomes unavailable. See "Redundant Management Module" on page 8- 
11 and "Using Redundant Management Modules" on page 5-1 for more information. 
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The HP 9308M and HP 9304M can be populated with any of the following modules: 

• Redundant Management modules 

J4845A HP ProCurve 9300 GigLX Redundant Management Module (8-port) (Figure 8.8) 
J4846A HP ProCurve 9300 GigSX Redundant Management Module (8-port) (Figure 8.3) 
J4847A HP ProCurve 9300 Redundant Management Module (0-port) (Figure 8.4) 

• Management modules 

J4141A HP ProCurve 9300 10/100 Management Module (16-port) (Figure 8.5) 

J4144A HP ProCurve 9300 Gigabit SX Management Module (8-port) (Figure 8.6) 

J41 46A HP ProCurve 9300 Gigabit 4LX/4SX Management Module (8-port) (Figure 8.7) 

• Non-Management modules 

J4842A HP ProCurve 9300 1000Base-T Module (8-port) (Figure 8.8) 

• J41 40A HP ProCurve 9300 1 0/1 00 Module (24-port) (Figure 8.9) 

• J4142A HP ProCurve 9300 100Base FX Module (24-port MT-RJ) (Figure 8.10) 

• J4143A HP ProCurve 9300 Gigabit SX Module (8-port) (Figure 8.11) 

• J4145A HP ProCurve 9300 Gigabit 4LX/4SX Module (8-port) (Figure 8.12) 

• J4844A HP ProCurve 9300 GigLX Module (8-port) (Figure 8.13) 
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Figure 8.1 Example of an HP 9304M routing switch (4-slot) 



Figure 8.2 J4845A HP ProCurve 9300 GigLX Redundant Management Module (8-port) 



Figure 8.3 J4846A HP ProCurve 9300 GigSX Redundant Management Module (8-port) 
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Figure 8.4 



J4847A HP ProCurve 9300 Redundant Management Module (0-port) 



Figure 8.5 J4141 A HP ProCurve 9300 10/100 Management Module (16-port) 
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Figure 8.6 J4144A HP ProCurve 1000BaseSX Management Module (8-port) 
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Figure 8.7 J4146A HP ProCurve lOOOBase 4LX/4SX Management Module (8-port) 
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Figure 8.8 J4842A HP ProCurve 9300 1000Base-T Module (8-port) 
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Figure 8.9 J4140A HP ProCurve 9300 10/100 Module (24-port) 



Figure 8.10 J4142A HP ProCurve 9300 100Base FX Module (24-port MT-RJ) 
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Figure 8.11 J4143A HP ProCurve 9300 Gigabit SX Module (8-port) 
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Figure 8.12 J4145A HP ProCurve 9300 Gigabit 4LX/4SX Module (8-port) 



Installation and Getting Started Guide 



Figure 8.13 J4844A HP ProCurve 9300 GigLX Module (8-port) 



NOTE: All 10/100 ports are auto-sensing and auto-negotiating for easy deployment into existing network 
topologies. Gigabit Ethernet interfaces are available in multi-mode 1000BaseSX, single-mode/multi-mode 
1000BaseLX, and copper. 




Figure 8.14 Example of an HP 9308M routing switch (8-slot) 
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Fixed-Port Switch HP 6208M-SX and Routing Switch HP 6308M-SX 

Figure 8.15 shows the HP 6308M-SX. Figure 8.16 shows the HP 6208M-SX. Each device provides a serial port 
for CLI management and eight 100Mbps SX fiber ports for connection to Gigabit Ethernet links. 

The HP 6308M-SX routing switch provides both Layer 2 switching and Layer 3 routing in a single device and 
supports all of the most popular standards-based protocols— IP, IP/RIP, IPX, OSPF, BGP4, and AppleTalk. HP 
routing switches also support two IP multicasting protocols — Distance Vector Multicast Routing Protocol (DVMRP) 
and Protocol Independent Management (PIM). The routing switches also support path redundancy for hosts 
within a network provided by the Standby Router Protocol (SRP). 

HP 6308M-SX routing switches can be concentrated in a data center to provide additional port density for very 
high-performance, centralized routing. A stack of HP 6308M-SX routing switches can provide connections to 
routers, switches, and servers. 

The HP 6208M-SX switch provides support for Layer 2 and Layer 3 switching within one platform. 

The HP 6208M-SX switch can be used to interconnect a stack of backbone switches for faster switching and 
access over Gigabit links. This switch also can be stacked with other HP 6208M-SX switches in a network center 
to provide Gigabit link connections to switches and server farms through the riser. 
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Figure 8.15 HP ProCurve 6308M-SX routing switch 
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Figure 8.16 HP ProCurve 6208M-SX switch 



System Architecture 
Chassis Architecture 

Built on a fully non-blocking architecture, the chassis platform provides switching capacity in the core and on each 
interface module of up to 128 Gbps for the HP 9304M and 256 Gbps for the HP 9308M. 

The chassis core consists of a backplane and crosspoint switching fabric that supports four interfaces modules on 
the HP 9304M. The HP 9308M supports eight interface modules. 

Each interface module utilizes a high bandwidth, shared memory switching fabric that switches up to 32 Gbps of 
bandwidth. This local switching fabric houses the forwarding engines and includes Application Specific Integrated 
Circuits (ASICs) that provide packet switching functions such as priority handling. Each interface module also 
contains ASICs that perform high speed Layer 2, Layer 3, and Layer 4 lookups and forwarding, including IP sub- 
net look ups and packet modifications of IP and IPX packets. Additionally, each interface module has an 8 Gbps 
full-duplex data path to the backplane that provides separate priority queues for each module destination. 
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Fixed-Port Architecture 

Layer 2 Architecture 

When a packet arrives at an HP 6208M-SX switch, a search for the MAC destination address is initiated. If the 
MAC destination address is found, the packet's priority is determined. The packet is then forwarded to the 
appropriate output port. 

Packets that are not located in the address table are forwarded to all other switch ports unless VLANs are 
operating on the switch. If the switch is operating with VLANs, then the packet is forwarded only to other ports 
within its VLAN. 

If the source address of the packet received at the switch is not resident in its address table, or if the source port 
of the packet has changed, both the source address and its source port will be programmed into the address 
table. 

Layer 3 Architecture 

When a packet arrives at an HP 9304M, HP 9308M, or HP 6308M-SX routing switch, an address lookup is 
initiated. 

IP Version 4 Packets 

If the IP address is located, then the device performs the following Layer 3 IP operations on the IP packet: 

• Decrements the TTL value. 

• Checks to see if TTL value is greater than zero. If so, the packet will be forwarded. 

• Performs destination MAC address substitution of the next hop router or end station. The source MAC 
address will be replaced by the MAC address of the interface. 

Updates the header checksum. 

Once Layer 3 operations are completed, the packet's priority is determined, and it is placed in the appropriate 
buffer for forwarding to the target output port. 

IPX Packets 

When an IPX packet is received, the frame type is determined. When the incoming and outgoing frame types are 
Ethernet 802.2 or 802.3, the device will perform hardware forwarding: 

• If the destination network number is an internal or remote network number. 

• If the destination network number is an internal or remote network number, the system will provide network 
assistance. 

• If the frame type is Ethernet II or Ethernet SNAP, the packet is sent directly to the CPU. The CPU will 
increment the transport control count and forward it to its target output port. 

Other Protocol Packets 

Protocols not supported by the routing switches will be switched at Layer 2. 
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Physical View 

This section describes the external features of the HP 9304M, HP 9308M, HP 6308M-SX, and HP 6208M-SX. 
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Figure 8.17 Example front panel of an HP 9304M routing switch 
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Figure 8.18 Front panel of an HP ProCurve 6308M-SX routing switch 
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Figure 8.19 Rear panel of an HP 6208M-SX switch or HP 6308M-SX routing switch 
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NOTE: The rear panel of the HP 9308M and HP 9304M Chassis devices provide no network or power 
connections and therefore are not shown. 



Slot and Port Numbers 

The port numbers on all Fixed-port devices and Chassis devices are labeled on the hardware. However, the 
method you use to enter or select a port number differs depending on whether you are managing a Fixed-port 
device or a Chassis device. 

Fixed-Port Devices 

To specify a port number in the software, enter or select the number associated with the port on the device's front 
panel. For example, to assign a name to port 8 on a Fixed-port device, enter the following CLI commands: 

HP6208 (conf ig) # interface e 8 

HP6208 (conf ig- if - 8 ) # port-name pdtmarketing 

Syntax: interface ethernet <portnum> 

Syntax: port-name <string> 

Chassis Devices 

The port numbers on the modules in Chassis devices are labeled, but the slot numbers are not labeled. 

• Slots on the HP 9304M are numbered 1 - 4, from top to bottom. 

Slots on the HP 9308M are numbered 1 - 8, from left to right. 

You can place the management module in any slot. The slot numbers are absolute and do not change based on 
the position of the management module. 

To specify a port on a Chassis device, enter the slot number, a forward slash ( / ), and the number associated with 
the port on the device's front panel. For example, to assign a name to port 8 on the module installed in chassis 
slot 2, enter the following commands: 

HP9300 (conf ig) # interface e 2/8 

HP93 00 (conf ig- if -2/8 ) # port-name pdtmarketing 

Syntax: interface ethernet <portnum> 

Syntax: port-name <string> 

NOTE: The Fixed-port devices do not contain separate slots and thus do not use slot numbers. 



AC Power Connector 

The AC power connectors are located at the rear of the Fixed-port devices. Because a redundant supply is 
installed, the rear panel contains two AC connectors. 

On Chassis devices, the power supplies are accessible from the front of the chassis, and the power supply 
connector is embedded within the power supply. 

Buffering 

Fixed-port devices provide a pool of 2 Megabytes (MB) of buffering memory for their ports. Buffering memory for 
each chassis module is also 2 MB. 

Fans 

The HP 6308M-SX routing switch and HP 6208M-SX switch come standard with two fans to provide additional 
cooling for the internal components of the device. 
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The Chassis devices, the HP 9304M and HP 9308M, come standard with four fans. The HP 9304M also comes 
standard with four fans. The HP 9308M comes standard with six fans. 

LEDs 

Each device is equipped with LEDs that denote port and power supply status. The tables below reflect the 
different port and expansion module port states. 

Fixed-Port Devices 

The HP 9304M and HP 9308M devices come equipped with three LEDs per Ethernet port, as highlighted in Table 
8.8.1 below. Gigabit Ethernet ports have two LED indicators, as defined in Table 8.8.2. 

Table 8.1: Port LED indicators for a Fixed-port 1 0BaseT/100BaseTX system 



LED 


Position 


State 


Meaning 


FDX/HDX 


Top 


On 


The port is operating at full-duplex. 






Off 


The port is operating at half-duplex. 


100 


Middle 


On 


The port is operating at 100 Mbps. 






Off 


The port is not operating at 100 Mbps. 


Link/Act 


Bottom 


On 


Port is connected. 






Off 


No port connection exists. 






Blinking 


Traffic is being transmitted or received on 
that port. 



Chassis Devices 

Chassis devices support two different modules with two different LED indicator types, Ethernet/Fast Ethernet and 
Gigabit Ethernet. Ethernet modules have two port LED indicators, as defined in Table 8.8.2. LEDs for Gigabit 
Ethernet ports are defined in Table 8.8.3. 

Table 8.2: Port LED indicators for 100BaseFX, 1 0OOBaseSX/LX, and 1000BaseT ports 



LED 


Position 


State 


Meaning 


Link 


Top 


On 


Port is connected. 






Off 


No port connection exists. 


Activity 


Bottom 


On 


Traffic is being transmitted and received 
on that port. 






Off 


No traffic is being transmitted. 






Blinking 


Traffic is being transmitted and received 
on that port. 



8-9 



Installation and Getting Started Guide 



Table 8.3: Port LED indicators for 1 0BaseT/1 OOBaseTX chassis modules 



LED 


Position 


State 


Meaning 


Link/Activity 


Left 


On 


Port is connected. 






Off 


No port connection exists. 






Blinking 


Traffic is being transmitted and received 
on that port. 


FDX 


Right 


On 


The port is operating at full-duplex. 






Off 


The port is operating at half-duplex. 



Ports 

The following port types are supported on the HP 9304M and HP 9308M devices. 
1000BaseT Gigabit Copper (GC) Ports 

The 1000Base-T Gigabit Copper ports can provide Gigabit throughput over standard Cat-5 copper wiring. The 
port connectors are RJ-45s, the same as the connectors on HP's 10/100 modules. Thus, you can immediately 
deploy the GC ports without recabling. 

10BaseT/1 OOBaseTX Ports 

The 10BaseT/1 OOBaseTX ports are auto-sensing, auto-negotiating ports with RJ-45 UTP connectors. These 
ports accept Category 5 Unshielded Twisted Pair (UTP) cables. 

See "Connecting Network Devices" on page 2-17 for cabling pinouts and signalling specifics. If you prefer to 
avoid assembling cables by hand, you can order the proper cables from HP. 

100BaseFX Ports 

The 100BaseFX ports are equipped with MT-RJ connectors and operate at 100 Mbps in full-duplex mode. 
1000BaseSX Ports 

The 1000BaseSX ports operate in full-duplex mode and are equipped with SC connectors. Multi-mode fiber 
cabling is supported. 

1000BaseLX 

The 1 0OOBaseLX ports operate in full-duplex mode and are equipped with SC connectors. Both single-mode fiber 
(SMF) and multi-mode fiber (MMF) cabling is supported. The 1000BaseLX ports must be connected to another 
1000BaseLX port. Connection to a 1000BaseSX port is not supported. 

NOTE: 1000BaseSX and 1000BaseLX ports also support auto-negotiation when the auto-gig option is enabled 
on the system. 

NOTE: 1 0OOBaseSX and 1 0OOBaseLX ports operate only at full-duplex. 
Port Connectors 

100BaseFX ports come with MT-RJ connectors. 

1000BaseSX and 1000BaseLX ports come with dual SC connectors. 

10/1 OOBaseTX ports come with RJ-45 connectors. 
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Modules 

This section describes the modules designed for the HP 9304M and HP 9308M routing switches. 

Chassis Modules 

Chassis modules include these options: 

• Redundant Management: 

• 8-port Gigabit LX redundant management modules 

• 8-port Gigabit SX redundant management modules 
0-port redundant management module 

Management 

1 6-port 1 0/1 OOBaseTX management module 

8-port Gigabit SX management module 

4-port Gigabit LX and 4-port gigabit SX management module 

• Non-Management 

8-port 1 0OOBase-T module 
24-port 1 0/1 OOBaseTX module 

• 24-port 1 0OBase FX (MT-RJ) module 
8-port Gigabit SX module 

8-port Gigabit 4LX/4SX module 
8-port Gigabit LX module 

NOTE: The Chassis devices support 1 0OOBaseSX, 1 0OOBaseLX, and 1 0OOBaseT ports. 
Redundant Management Module 

The Redundant Management modules provide increased route capacity for routing switches running Border 
Gateway Protocol Version 4 (BGP4). In addition, the Redundant Management modules contain a configurable 
temperature sensor that sends a Syslog message and SNMP trap if the temperature on the module exceeds a 
specified warning level. The temperature sensor also can shut the module down automatically to prevent 
damage. 

You can use one or two Redundant Management modules in a Chassis device. Using two Redundant 
Management modules adds fault protection against system outage. The two modules work together as active and 
standby management modules. If the active module becomes unavailable, the standby module automatically 
takes over system operation. 

For more information and complete configuration and management information, see "Using Redundant 
Management Modules" on page 5-1 . 

AC Power Supply 

The fixed-port HP 6208M-SX switch and HP 6308M-SX routing switch are equipped with an autoranging 100-250 
VAC power supply rated at 5 - 2.5A and 50 - 60 Hz. 

The HP 9304M and HP 9308M routing switches are equipped with an autoranging 100 - 120/200 - 240 VAC 
power supply rated at 8A/4A and 50 - 60 Hz. The green LED on the power supply is lit when the power supply is 
properly supplying 5-volt power to the system. 
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Standard and Redundant Power Options 

The Fixed-port devices come standard with two power supplies. Redundant power is an option for the Chassis 
device. Each power supply can be connected to a separate AC power source for additional power redundancy. 

Fixed-Port Devices 

These systems come standard with two power supplies. 
Chassis Devices 

The HP 9304M comes standard with one power supply, which is enough to provide adequate power for any 
combination of modules. You can order an additional power supply for redundancy. 

The HP 9308M can contain from one to four power supplies and comes standard with one power supply. 

• One supply is adequate for devices with one, two, or three modules (including the management module). 

• If the chassis contains four or more modules, you need at least two power supplies. Two power supplies is 
sufficient if the chassis contains fewer than four 24-port 10/100 FX modules. 

If the chassis contains four or more 24-port 1 0/1 00 FX modules, you need at least three power supplies. 

You can order additional power supplies over your systems' minimum requirement for redundancy. If fewer than 
four power supplies are installed, the empty slots will be covered by safety covers. 



NOTE: When you power on a Chassis device that requires multiple power supplies, make sure you apply power 
to all the supplies (or at least the minimum number of supplies required for your configuration) at the same time. 
Otherwise, the device either will not boot at all, or will boot and then repeatedly display a warning message stating 
that you need to add more power supplies. 



Temperature Sensor 

The Redundant Management modules for the HP 9304M and HP 9308M routing switches contain an on-board 
temperature sensor. The software reads the sensor based on the chassis poll-time, a configurable parameter that 
determines how often the software polls the chassis for hardware status information. 

The software is configured with a warning temperature (default 45 degrees Celsius) and a shutdown temperature 
(default 55 degrees Celsius). When the software reads the temperature sensor, if the temperature equals or 
exceeds the warning or shutdown temperature, the software does the following: 

• Warning message - If the temperature of the module reaches the warning value, the software sends a Syslog 
message to the Syslog buffer and also to the SyslogD server, if configured. In addition, the software sends 
an SNMP trap to the SNMP trap receiver, if you have configured the device to use one. 

Shutdown - If the temperature matches or exceeds the shutdown temperature, the software sends a Syslog 
message to the Syslog buffer and also to the SyslogD server if configured. The software also sends an 
SNMP trap to the SNMP trap receiver, if you have configured the device to use one. 

If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by 
the software, the software shuts down the module to prevent damage. 

For more information and configuration information, see "Temperature Sensor" on page 5-16. 

Reset Button 

The reset button allows you to restart the system. The reset button is recessed to prevent it from being pushed 
accidentally. 

• For Chassis devices, the reset button is located to the right of the serial port on the management module as 
labeled in Figure 8.17. 

For Fixed-port devices, the reset button is located to the right of the serial port as labeled in Figure 8.18. 
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This chapter describes how to configure basic, non-protocol features on HP devices using the CLI and Web 
management interface. 

This chapter contains procedures for configuring the following parameters: 

Basic System Parameters - see "Configuring Basic System Parameters" on page 9-3 

Basic Port Parameters - see "Configuring Basic Port Parameters" on page 9-23 

Basic Layer 2 Parameters - see "Configuring Basic Layer 2 Parameters" on page 9-29 

Basic Layer 3 Parameters - see "Enabling or Disabling Routing Protocols" on page 9-57 

System defaults and table sizes - see "Displaying and Modifying System Parameter Default Settings" on 
page 9-58 

• Mirror ports (for traffic diagnosis and troubleshooting) - see "Assigning a Mirror Port and Monitor Ports" on 
page 9-61 



NOTE: For information about configuring IP addresses, DNS resolver, DHCP assist, and other IP-related 
parameters, see the "Configuring IP" chapter in the Advanced Configuration and Management Guide. 



HP switches and routing switches are configured at the factory with default parameters that allow you to begin 
using the basic features of the system immediately. However, many of the advanced features such as VLANs or 
routing protocols for the routing switch must first be enabled at the system (global) level before they can be 
configured. 

• If you use the Command Line Interface (CLI) to configure system parameters, you can find these system level 
parameters at the Global CONFIG level of the CLI. 

• If you use the Web management interface, you configure the system level parameters on the System 
configuration panel, which is displayed by default when you start a management session. Figure 9.1 shows 
an example of the System configuration panel on an HP 9304M or HP 9308M routing switch. 



NOTE: Before assigning or modifying any routing switch parameters, you must assign the IP sub-net 
(interface) addresses for each port. 



NOTE: This chapter does not describe how to configure Virtual LANs (VLANs). For VLAN configuration 
information, see the "Configuring Virtual LANs (VLANs)" chapter in the Advanced Configuration and Management 
Guide. 
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Using the Web Management Interface for Basic Configuration 
Changes 

The Web management interface enables you to easily make numerous configuration changes by entering or 
changing information on configuration panels such as the one shown in Figure 9.1 . This example is for a routing 
switch. The HP 6208M-SX does not have routing options but does have some additional options not available on 
routing switches. 
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Figure 9.1 System configuration panel for an HP routing switch 

You can perform the following configuration tasks from the System configuration panel: 

• Enter system administration information. 

• Review or modify the IP, mask, and gateway addresses (HP 6208M-SX only). 

• Assign IP sub-net (interface) addresses and masks (routing switches only). 
Assign DHCP gateway lists for DHCP Assist operation (HP 6208M-SX only). 

• Configure Domain Name Server (DNS) Resolver. 

• Define a MAC address filter. 

• Set the system clock. 

• Configure the device to use a Simple Network Time Protocol (SNTP) server. 

• Enable port-based and/or layer 3 protocol VLANs. 

Enable or disable IP Multicast Traffic Reduction (HP 6208M-SX only). 
Enable or disable IGMP (HP 6208M-SX only). 

Enable or disable protocol— OSPF, RIP, IPX, DVMRP, PIM, SRP, VRRP, BGP4, AppleTalk (routing switches 
only). 

Assign Layer 4 QoS Priority (HP 6208M-SX only). 

NOTE: Layer 4 priority for routing switches is set using the IP policy command found at the global CONFIG 
level of the CLI and the IP configuration sheet for the Web management interface. 
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• Enable or disable Spanning Tree Protocol. 

• Enable or disable SNMP operation and configure SNMP community strings, trap receivers, and other 
parameters. 

Enable or disable IEEE 802. 1q VLAN tagging. 

Enable or disable Layer 2 switching (routing switches only). 

Enable or disable Telnet. 

Change the aging period (switch age time) for entries in the address table. 

Assign a mirror port. 

Modify system parameters. 

Add or delete modules (Chassis devices only). 

• Modify tag type. 

• Modify telnet timeout period. 

• Modify broadcast limit. 

• Enable or disable management using the Web management interface. 
Apply base (system) default values (HP 6208M-SX only). 

• Configure redundant management module parameters (Chassis devices only). 
The procedures in this chapter describe how to configure these parameters. 

Configuring Basic System Parameters 

The procedures in this section describe how to configure the following basic system parameters: 

System name, contact, and location - see "Entering System Administration Information" on page 9-3 

• SNMP trap receiver, trap source address, and individual traps - see "Configuring Simple Network 
Management (SNMP) Parameters" on page 9-5 

• Single source address for all Telnet packets - "Configuring an Interface as the Source for All Telnet Packets" 
on page 9-9 

• System time using a Simple Network Time Protocol (SNTP) server or local system counter - see "Specifying 
a Simple Network Time Protocol (SNTP) Server" on page 9-10 and "Setting the System Clock" on page 9-12 

• Syslog server and local syslog buffer parameters - see "Configuring the Syslog Service" on page 9-14 

• Default Gigabit negotiation mode (for Chassis devices) - see "Changing the Default Gigabit Negotiation 
Mode" on page 9-19 

Broadcast, multicast, or unknown-unicast limits, if required to support slower third-party devices - see 
"Limiting Broadcast, Multicast, or Unknown-Unicast Rates" on page 9-20 

• Banners that are displayed on users' terminals when they enter the Privileged EXEC CLI level or access the 
device through Telnet - see "Configuring CLI Banners" on page 9-21 . 

Entering System Administration Information 

You can configure a system name, contact, and location for an HP switch or routing switch and save the 
information locally in the configuration file for future reference. This information is not required for system 
operation but is suggested. When you configure a system name, the name replaces the default system name in 
the CLI command prompt. For example, if the system is an HP 9304M or HP 9308M, the system name you 
configure replaces "HP 9304M or HP 9308M" in the command prompt. 

The name, contact, and location each can be up to 32 alphanumeric characters. 
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USING THE CLl 

Here is an example of how to configure a switch or routing switch name, system contact, and location: 

HP6208 (conf ig) # hostname Oakland 

Oakland (config) # snmp-server contact Suzy Creamcheese 
Oakland (conf ig) # snmp-server location Centerville 
Oakland (conf ig) # end 
Oakland# write memory 
Syntax: hostname <string> 

NOTE: On the HP 9304M, HP 9308M, and HP 6308M-SX, you also can use the chassis name command to set 
the device name. 

Syntax: snmp-server contact <string> 
Syntax: snmp-server location <string> 

The text strings can contain blanks. The SNMP text strings do not require quotation marks when they contain 
blanks but the host name does. 

USING THE WEB MANAGEMENT INTERFACE 

Here is an example of how to configure a switch or routing switch name, system contact, and location: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Identification link to display the following panel. 



Identification 



Name: 


|hp9308 






Contact: 


|suzy Creamcheese 


Location: 


|centerville 


Apply | Reset | 



[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

3. Edit the value in the Name field to change the device name. The name can contain blanks. 

4. Enter the name of the administrator for the device in the Contact field. The name can contain blanks. 

5. Enter the device's location in the Location field. The location can contain blanks. 

6. Click the Apply button to save the change to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

NOTE: You also can access the dialog for saving configuration changes by clicking on the plus sign next to 
Command in the tree view, then clicking on Save to Flash . 
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Configuring Simple Network Management (SNMP) Parameters 

Use the procedures in this section to perform the following configuration tasks: 

• Specify an SNMP trap receiver. 

• Specify a source address and community string for all traps sent by the device. 

• Disable individual SNMP traps. (All traps are enabled by default.) 

• Disable traps for CLI access that is authenticated by a local user account, a RADIUS server, or a TACACS/ 
TACACS+ server. 



NOTE: To add and modify "get" (read-only) and "set" (read-write) community strings, see "Establishing SNMP 
Community Strings" on page 3-13. 



Specifying an SNMP Trap Receiver 

You can specify a trap receiver to ensure that all SNMP traps sent by the HP device go to the same SNMP trap 
receiver or set of receivers, typically one or more host devices on the network. When you specify the host, you 
also specify a community string. The HP device sends all the SNMP traps to the specified host(s) and includes 
the specified community string. Administrators can therefore filter for traps from an HP device based on IP 
address or community string. 

When you add a trap receiver, the software automatically encrypts the community string you associate with the 
receiver when the string is displayed by the CLI or Web management interface. If you want the software to show 
the community string in the clear, you must explicitly specify this when you add a trap receiver. In either case, the 
software does not encrypt the string in the SNMP traps sent to the receiver. 

To specify the host to which the device sends all SNMP traps, use one of the following methods. 

USING THE CLI 

To add a trap receiver and encrypt the display of the community string, enter commands such as the following: 

HP9300 (conf ig) # snmp-server host 2.2.2.2 "HP 9304-12" 
HP9300 (conf ig) # write memory 

Syntax: snmp-server host <ip-addr> [0 11] <string> 

The <ip-addr> parameter specifies the IP address of the trap receiver. 

The 0 1 1 parameter specifies whether you want the software to encrypt the string (1) or show the string in the 
clear (0). The default is 1 . 

The <string> parameter specifies an SNMP community string configured on the HP device. The string can be a 
read-only string or a read-write string. The string is not used to authenticate access to the trap host but is instead 
a useful method for filtering traps on the host. For example, if you configure each of your HP devices that use the 
trap host to send a different community string, you can easily distinguish among the traps from different HP 
devices based on the community strings. 

If the string contains blanks, use double quotation marks. 

The command in the example above adds trap receiver 2.2.2.2 and configures the software to encrypt display of 
the community string. When you save the new community string to the startup-config file (using the write 
memory command), the software adds the following command to the file: 

snmp-server host 2.2.2.2 1 < encrypted- string > 

To add a trap receiver and configure the software to encrypt display of the community string in the CLI and Web 
management interface, enter commands such as the following: 

HP9300 (conf ig) # snmp-server host 2.2.2.2 0 "HP 9304M-12" 
HP9300 (conf ig) # write memory 
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The command in the example above adds trap receiver 2.2.2.2 and configures the software to display the 
community string associated with the receiver in the clear. When you save the new community string to the 
startup-config file, the software adds the following command to the file: 

snmp-server host 2.2.2.2 0 "HP 9304M-12" 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. 

2. Click the Management link to display the Management configuration panel. 

3. Click the Trap Receiver link to display the Trap Receiver panel. 

4. Enter the IP address of the receiver in the IP Address field. 

5. Enter the community string you want the routing switch to send in traps sent to this host in the Community 
String field. 

6. Select the Encrypt checkbox to remove the checkmark if you want to disable encryption of the string display. 
Encryption prevents other users from seeing the string in the CLI or Web management interface. If you 
disable encryption, other users can view the community string. Encryption is enabled by default. 

To re-enable encryption, select the checkbox to place a checkmark in the box. 

7. Click Add to apply the change to the device's running-config file. 

8. Select the Save link at the bottom of the panel. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Specifying a Single Trap Source 

You can specify a single trap source to ensure that all SNMP traps sent by the HP device use the same source IP 
address. When you configure the SNMP source address, you specify the Ethernet port, loopback interface, or 
virtual interface that is the source for the traps. The HP device then uses the first IP address configured on the 
port or interface as the source IP address in the SNMP traps sent by the device. 

Identifying a single source IP address for SNMP traps provides the following benefits: 

• If your trap receiver is configured to accept traps only from specific links or IP addresses, you can use this 
feature to simplify configuration of the trap receiver by configuring the HP device to always send the traps 
from the same link or source address. 

• If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers can receive 
traps regardless of the states of individual links. Thus, if a link to the trap receiver becomes unavailable but 
the receiver can be reached through another link, the receiver still receives the trap, and the trap still has the 
source IP address of the loopback interface. 



NOTE: When you designate an interface as the SNMP trap source for an HP device, the software uses the first 
IP address configured on the interface as the source IP address for the traps. The first IP address refers to when 
the address was configured, not to its numeric sequence relative to other IP addresses configured on the 
interface. Thus, the first IP address is not the numerically lowest address, but is instead the IP address configured 
on the interface before any other IP addresses were configured on that interface. 

To specify a port, loopback interface, or virtual interface whose first configured IP address the HP device must use 
as the source for all SNMP traps sent by the device, use the following CLI method. 

USING THE CLI 

To configure the device to send all SNMP traps from the first configured IP address on port 4/11, enter the 
following commands: 

HP9300 (conf ig) # snmp trap-source ethernet 4/11 
HP9300 (conf ig) # write memory 

Syntax: snmp-server trap-source loopback <num> I ethernet <portnum> I ve <num> 
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The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the 
<portnum> is the port's number (including the slot number, if you are configuring an HP 9304M or HP 9308M. 

To specify the first IP address configured on a loopback interface as the device's SNMP trap source, enter 
commands such as the following: 

HP9300 (conf ig) # int loopback 1 

HP9300 (conf ig-lbif -1) # ip address 10.0.0.1/24 

HP9300 (conf ig-lbif -1) # exit 

HP9300 (conf ig) # snmp-server trap-source loopback 1 

The commands in this example configure loopback interface 1 , assign IP address 10.00.1/24 to the loopback 
interface, then designate the interface as the SNMP trap source for this routing switch. Regardless of the port the 
HP device uses to send traps to the receiver, the traps always arrive from the same source IP address. 

The following commands configure an IP interface on an Ethernet port and designate the address as the SNMP 
trap source for a routing switch. The HP device always sends traps through the Ethernet port and the source IP 
address of the traps is always the first IP address configured on the Ethernet port. 

HP9300 (conf ig) # interface eth 2/1 

HP9300 (conf ig-if -2/1) # ip address 209.157.22.26/24 

HP9300 (conf ig-if -2/1) # exit 

HP9300 (conf ig) # snmp trap-source eth 2/1 

USING THE WEB MANAGEMENT INTERFACE 

You cannot configure a trap source using the Web management interface. 
Disabling SNMP Traps 

HP switches and routing switches come with SNMP trap generation enabled by default for all traps. You can 
selectively disable one or more of the following traps. 

NOTE: By default, all SNMP traps are enabled at system startup. 
Switch Traps 

The following traps are generated on the switches: 

• SNMP authentication keys 

• Power supply failure 
Fan failure 

Cold start 

• Link up 

• Link down 
Bridge new root 
Bridge topology change 
Locked address violation 

Module insert (applies only to Chassis devices) 
Module remove (applies only to Chassis devices) 
Routing Switch Traps 

The following traps are generated on the routing switches: 

• SNMP authentication key 

• Power supply failure 

• Fan failure 
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Cold start 

• Link up 

• Link down 

• Bridge new root 

• Bridge topology change 

• Locked address violation 

• Module insert 

• Module remove 

• BGP4 

• OSPF 

• SRP 

• VRRP 

• VRRPE 
USING THE CLI 

To stop link down occurrences from being reported, enter the following: 

HP9300 (conf ig) # no snmp-server enable traps link-down 
Syntax: [no] snmp-server enable traps <trap-type> 

NOTE: For a list of the trap type values, see the Command Line Interface Reference. 

USING THE WEB MANAGEMENT INTERFACE 
To enable or disable individual SNMP traps: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Management link to display the Management panel. 

NOTE: The panel lists different traps for switches and routing switches. 

3. Select the Disable or Enable button next to the trap you want to disable or enable. 

4. Click the Apply button to save the change to the device's running-config file. 

5. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Disabling Syslog Messages and Traps for CLI Access 

HP devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged 
EXEC level of the CLI. The feature applies to users whose access is authenticated by an authentication-method 
list based on a local user account, RADIUS server, or TACACS/TACACS+ server. 

NOTE: The Privileged EXEC level is sometimes called the "Enable" level, because the command for accessing 
this level is enable. 

The feature is enabled by default. 

Examples of Syslog Messages for CLI Access 

When a user whose access is authenticated by a local user account, a RADIUS server, or a TACACS/TACACS+ 
server logs into or out of the CLI's User EXEC or Privileged EXEC mode, the software generates a Syslog 
message and trap containing the following information: 
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• The time stamp 

• The user name 

• Whether the user logged in or out 

• The CLI level the user logged into or out of (User EXEC or Privileged EXEC level) 



NOTE: Messages for accessing the User EXEC level apply only to access through Telnet. The device does not 
authenticate initial access through serial connections but does authenticate serial access to the Privileged EXEC 
level. Messages for accessing the Privileged EXEC level apply to access through the serial connection or Telnet. 

The following examples show login and logout messages for the User EXEC and Privileged EXEC levels of the 
CLI: 

HP9300 (conf ig) # show logging 

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) 
Buffer logging: level ACDMEINW, 12 messages logged 
level code: A=alert C=critical D=debugging M=emergency E=error 
I=inf ormational N=notif ication W=warning 

Static Log Buffer: 

Dec 15 19 : 04 : 14 : A: Fan 1, fan on right connector, failed 
Dynamic Log Buffer (50 entries) : 



Oct 


15 


18 : 


: 01 : 


: 11 : 


: info 


:dg 


logout from USER EXEC mode 


Oct 


15 


17 : 


: 59 : 


;22 : 


: info 


:dg 


logout from PRIVTLEDGE EXEC mode 


Oct 


15 


17 : 


: 38 : 


: 07 : 


: info 


:dg 


login to PRIVTLEDGE EXEC mode 


Oct 


15 


17 : 


: 38 : 


: 03 : 


: info 


:dg 


login to USER EXEC mode 



Syntax: show logging 

The first message (the one on the bottom) indicates that user "dg" logged in to the CLI's User EXEC level on 
October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged into the Privileged EXEC level 
four seconds later. 

The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the 
CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to 
access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. 

Disabling the Syslog Messages and Traps 

Logging of CLI access is enabled by default. If you want to disable the logging, use the following method. 
USING THE CLI 

To disable logging of CLI access, enter the following commands: 

HP9300 (conf ig) # no logging enable user-login 
HP9300 (conf ig) # write memory 
HP9300 (conf ig) # reload 

Syntax: [no] logging enable user-login 

USING THE WEB MANAGEMENT INTERFACE 

You cannot disable logging of CLI access using the Web management interface. 

Configuring an Interface as the Source for All Telnet Packets 

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual 
interface as the source IP address for all Telnet packets from the routing switch. Identifying a single source IP 
address for Telnet packets provides the following benefits: 

• If your Telnet server is configured to accept packets only from specific links or IP addresses, you can use this 
feature to simplify configuration of the Telnet server by configuring the HP device to always send the Telnet 
packets from the same link or source address. 
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• If you specify a loopback interface as the single source for Telnet packets, Telnet servers can receive the 
packets regardless of the states of individual links. Thus, if a link to the Telnet server becomes unavailable 
but the client or server can be reached through another link, the client or server still receives the packets, and 
the packets still have the source IP address of the loopback interface. 

The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/ 
TACACS+, and RADIUS packets. You can configure a source interface for one or more of these types of packets. 

To specify an Ethernet port or a loopback or virtual interface as the source for all Telnet packets from the device, 
use the following CLI method. The software uses the lowest-numbered IP address configured on the port or 
interface as the source IP address for Telnet packets originated by the device. 

USING THE CLI 

To specify the lowest-numbered IP address configured on a virtual interface as the device's source for all Telnet 
packets, enter commands such as the following: 

HP9300 (conf ig) # int loopback 2 

HP9300 (conf ig-lbif -2) # ip address 10.0.0.2/24 

HP9300 (conf ig-lbif -2) # exit 

HP9300 (conf ig) # ip telnet source-interface loopback 2 

The commands in this example configure loopback interface 2, assign IP address 10.0.0.2/24 to the interface, 
then designate the interface as the source for all Telnet packets from the routing switch. 

Syntax: ip telnet source-interface ethernet <portnum> I loopback <num> I ve <num> 

The <num> parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the 
<portnum> is the port's number (including the slot number, if you are configuring a chassis device). 

The following commands configure an IP interface on an Ethernet port and designate the address port as the 
source for all Telnet packets from the routing switch. 

HP9300 (conf ig) # interface ethernet 1/4 

HP9300 (conf ig-if -1/4) # ip address 209.157.22.110/24 

HP9300 (conf ig-if -1/4) # exit 

HP9300 (conf ig) # ip telnet source-interface ethernet 1/4 
USING THE WEB MANAGEMENT INTERFACE 

You cannot configure a single Telnet source using the Web management interface. 

Specifying a Simple Network Time Protocol (SNTP) Server 

You can configure switches and routing switches to consult SNTP servers for the current system time and date. 



NOTE: HP switches and routing switches do not retain time and date information across power cycles. Unless 
you want to reconfigure the system time counter each time the system is reset, Hewlett-Packard recommends that 
you use the SNTP feature. 



USING THE CLI 

To identify an SNTP server with IP address 208.99.8.95 to act as the clock reference for a switch or routing switch, 
enter the following: 

HP9300 (conf ig) # sntp server 208.99.8.95 
Syntax: sntp server <ip-addr> I <hostname> [<version>] 

The <version> parameter specifies the SNTP version the server is running and can be from 1 - 4. The default 
is 1 . You can configure up to three SNTP servers by entering three separate sntp server commands. 

By default, the switch or routing switch polls its SNTP server every 30 minutes (1800 seconds). To configure the 
switch or routing switch to poll for clock updates from a SNTP server every 15 minutes, enter the following: 

HP9300 (conf ig) # sntp poll - interval 900 

Syntax: [no] sntp poll-interval <1-65535> 
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To display information about SNTP associations, enter the following command: 



HP9300# show sntp associations 
address ref clock 

-207.95.6.102 0.0.0.0 
-207.95.6.101 0.0.0.0 

* synced, - configured 



st when poll delay disp 
16 202 4 0.0 5.45 

0 0.0 0.0 



16 



202 



Syntax: show sntp associations 

The following table describes the information displayed by the show sntp associations command. 

Table 9.1 : Output from the show sntp associations command 



This Field... 


Displays... 


(leading character) 


One or both of the following: 
* Synchronized to this peer 
~ Peer is statically configured 


address 


IP address of the peer 


ref clock 


IP address of the peer's reference clock 


st 


NTP stratum level of the peer 


when 


Amount of time since the last NTP packet was received from the peer 


poll 


Poll interval in seconds 


delay 


Round trip delay in milliseconds 


disp 


Dispersion in seconds 



To display information about SNTP status, enter the following command: 

HP9300# show sntp status 

Clock is unsynchronized, stratum = 0 , no reference clock 

precision is 2**0 

reference time is 0 .0 

clock offset is 0.0 msec, root delay is 0.0 msec 

root dispersion is 0.0 msec, peer dispersion is 0.0 msec 

Syntax: show sntp status 

The following table describes the information displayed by the show sntp status command. 

Table 9.2: Output from the show sntp status command 



This Field... 


Indicates... 


unsynchronized 


System is not synchronized to an NTP peer. 


synchronized 


System is synchronized to an NTP peer. 


stratum 


NTP stratum level of this system 


reference clock 


IP Address of the peer (if any) to which the unit is synchronized 


precision 


Precision of this system's clock (in Hz) 


reference time 


Reference time stamp 
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Table 9.2: Output from the show sntp status command (Continued) 



This Field- 


Indicates... 


clock offset 


Offset of clock to synchronized peer 


root delay 


Total delay along the path to the root clock 


root dispersion 


Dispersion of the root path 


peer dispersion 


Dispersion of the synchronized peer 



USING THE WEB MANAGEMENT INTERFACE 
To identify a reference SNTP server for the system: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the NTP link to display the NTP panel. 

3. Optionally change the polling time by editing the value in the Polling Time field, then click Apply to save the 
change in the device's running-config file. You can specify a number from 1 - 65535. 

4. Select the NTP Server link to display the NTP Server panel. 

NOTE: If you have already configured an SNTP server, the server information is listed. Select the Add NTP 
Server link at the bottom of the panel. 

5. Enter the IP address of the SNTP server. 

6. Select the SNTP version the server is running from the version field's pulldown menu. The default version 
is 1. 

7. Click the Add button to save the change to the device's running-config file. 

8. Repeat steps 5 - 7 up to two more times to add a total of three SNTP servers. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Setting the System Clock 

In addition to SNTP support, HP switches and routing switches also allow you to set the system time counter. The 
time counter setting is not retained across power cycles and is not automatically synchronized with an SNTP 
server. The counter merely starts the system time and date clock with the time and date you specify. 



NOTE: You can synchronize the time counter with your SNTP server time by entering the sntp sync command 
from the Privileged EXEC level of the CLI. 



NOTE: Unless you identify an SNTP server for the system time and date, you will need to re-enter the time and 
date following each reboot. 

For more details about SNTP, see "Specifying a Simple Network Time Protocol (SNTP) Server" on page 9-10. 
USING THE CLI 

To set the system time and date to 10:15:05 on October 15, 1999, enter the following command: 

HP9300# clock set 10:15:05 10-15-99 

Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> I <mm-dd-yyyy> 

By default, HP switches and routing switches do not change the system time for daylight savings time. To enable 
daylight savings time, enter the following command: 
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HP9300# clock summer-time 
Syntax: clock summer-time 

Although SNTP servers typically deliver the time and date in Greenwich Mean Time (GMT), you can configure the 
switch or routing switch to adjust the time for any one-hour offset from GMT or for one of the following U.S. time 
zones: 

• US Pacific (default) 

• Alaska 

• Aleutian 

• Arizona 

• Central 

• East-Indiana 

• Eastern 

• Hawaii 

• Michigan 

• Mountain 

• Pacific 

• Samoa 

The default is US Pacific. 

To change the time zone to Australian East Coast time (which is normally 10 hours ahead of GMT), enter the 
following command: 

HP9300 (conf ig) # clock timezone gmt+10 

Syntax: clock timezone gmt I us <time-zone> 

You can enter one of the following values for <time-zone>: 

• US time zones (us): alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, 
pacific, samoa. 

• GMT time zones (gmt): gmt+12, gmt+11 , gmt+10. ..gmt+01 , gmt+00, gmt-01 ...gmt-10, gmt-11 , gmt-12. 
USING THE WEB MANAGEMENT INTERFACE 

To set the local time for the system: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Clock link to display the Clock panel, shown below. 



Clock 



Time Zone: 


GMT+00 2I 


[Daylight Saving Time: | Disable C Enable 


Date (mm-dd-yyyy): 


|l0 |23 |l999 


Time (hh:mm:ss): 


\ 1° I 32 |pm d 



Apply I Reset | 

[Home 11 Site Map HLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 
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3. Select the time zone by selecting the offset from Greenwich Mean Time that applies to your time zone. For 
example, to set your device to California time, select GMT-08, which means Greenwich Mean Time minus 
eight hours. 

NOTE: You do not need to adjust for Daylight Savings Time. You enable or disable Daylight Savings Time 
separately in the following step. 

4. Select Disable or Enable next to Daylight Saving Time to enable or disable it. 

5. Enter the month, day, and year in the Date fields. You must enter the year as four digits. 

6. Enter the hour, minute, and seconds in the Time fields. 

7. Select AM or PM. 

8. Click Apply to save the changes to the device's running-config file. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Configuring the Syslog Service 

The procedures in this section describe how to perform the following Syslog configuration tasks: 

Specify a SyslogD server. You can configure the HP device to use up to six SyslogD servers. (Use of a 
SyslogD server is optional. The system can hold up to 100 Syslog messages in an internal buffer.) 

Change the level of messages the system logs. 

Change the number of messages the local Syslog buffer can hold. 

Display the Syslog configuration. 

Clear the local Syslog buffer. 
Logging is enabled by default, with the following settings: 

Messages of all severity levels (Emergencies - Debugging) are logged. 

Up to 50 messages are retained in the local Syslog buffer. 

No SyslogD server is specified. 
Syslog Overview 

The HP device's software can write syslog messages to provide information at the following severity levels: 

• Emergencies 

• Alerts 

• Critical 

• Errors 

• Warnings 

• Notifications 

• Informational 

• Debugging 

The device writes the messages to a local buffer that can hold up to 100 messages. You also can specify the IP 
address or host name of up to six SyslogD servers. When you specify a SyslogD server, the HP device writes the 
messages both to the system log and to the SyslogD server. 

Using a SyslogD server ensures that the messages remain available even after a system reload. The HP device's 
local Syslog buffer is cleared during a system reload or reboot, but the Syslog messages sent to the SyslogD 
server remain on the server. 
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The SyslogD service on a Syslog server receives logging messages from applications on the local host or from 
devices such as a routing switch or switch. SyslogD adds a time stamp to each received message and directs 
messages to a log file. Most Unix workstations come with SyslogD configured. Some third party vendor products 
also provide SyslogD running on NT. 

SyslogD uses UDP port 514 and each SyslogD message thus is sent with destination port 514. Each SyslogD 
message is one line with syslogd message format. The message is embedded in the text portion of the SyslogD 
format. There are several subfields in the format. Keywords are used to identify each subfield, and commas are 
delimiters. The subfield order is insensitive except that the text subfield should be the last field in the message. 
All the subfields are optional. 

To set logging parameters, use one of the following methods. 
USING THE CLI 

Syslog is enabled by default. To disable it, enter the following command at the global CONFIG level: 

HP9300 (conf ig) # logging off 
Syntax: logging on I off 

To re-enable logging, enter the following command: 

HP9300 (conf ig) # logging on 

This command enables local Syslog logging with the following defaults: 

• Messages of all severity levels (Emergencies - Debugging) are logged. 
Up to 50 messages are retained in the local Syslog buffer. 

No SyslogD server is specified. 
Specifying a SyslogD Server 

To specify a SyslogD server, enter a command such as the following: 
HP9300 (conf ig) # logging 10.0.0.99 
Syntax: logging <ip-addr> I <server-name> 

NOTE: You can specify a server name only if you have already configured the DNS Resolver feature. See the 
"Configuring IP" chapter in the Advanced Configuration and Management Guide. 

Specifying an Additional SyslogD Server 

To specify an additional SyslogD server, enter the logging <ip-addr> command again, as in the following 
example. You can specify up to six SyslogD servers. 

HP9300 (conf ig) # logging 10.0.0.69 
Syntax: logging <ip-addr> I <server-name> 
Disabling Logging of a Message Level 

To change the message level, disable logging of specific message levels. You must disable the message levels 
on an individual basis. For example, to disable logging of debugging and informational messages, enter the 
following commands: 

HP9300 (conf ig) # no logging buffered debugging 
HP9300 (conf ig) # no logging buffered informational 
Syntax: [no] logging buffered <level> I <num-entries> 
The <level> parameter can have one of the following values: 

• alerts 

• critical 
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• debugging 

• emergencies 

• errors 

• informational 

• notifications 

• warnings 

The commands in the example above change the log level to notification messages or higher. The software will 
not log informational or debugging messages. The changed message level also applies to the SyslogD servers. 

Changing the Number of Entries the Local Buffer Can Hold 

You also can use the logging buffered command to change the number of entries the local Syslog buffer can 
store. For example: 

HP9300 (conf ig) # logging buffered 100 

The default number of messages is 50. The value can be 50 - 100. The change takes effect immediately and 
does not require you to reload the software. 

NOTE: If you decrease the size of the buffer, the software clears the buffer before placing the change into effect. 
If you increase the size of the buffer, the software does not clear existing entries. 



Changing the Log Facility 

The SyslogD daemon on the SyslogD server uses a facility to determine where to log the messages from the HP 
device. The default facility for messages the HP device sends to the SyslogD server is "user". You can change 
the facility using the following command. 



NOTE: You can specify only one facility. If you configure the HP device to use two SyslogD servers, the device 
uses the same facility on both servers. 

HP9300 (conf ig) # logging facility localO 

Syntax: logging facility <facility-name> 

The <facility-name> can be one of the following: 

• kern - kernel messages 

• user - random user-level messages 

• mail - mail system 
daemon - system daemons 

auth - security/authorization messages 

syslog - messages generated internally by syslogd 

Ipr - line printer subsystem 

• news - netnews subsystem 

• uucp - uucp subsystem 
sys9 - cron/at subsystem 

sysl 0 - reserved for system use 
sys11 - reserved for system use 
sys12 - reserved for system use 
sysl 3 - reserved for system use 
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• sys14 - reserved for system use 

• cron - cron/at subsystem 



localO - 


reserved for local use 


local 1 - 


reserved for local use 


local2 - 


reserved for local use 


local3 - 


reserved for local use 


local4 - 


reserved for local use 


local5 - 


reserved for local use 


local6 - 


reserved for local use 


local7 - 


reserved for local use 



Displaying the Syslog Configuration 

To display the Syslog parameters currently in effect on an HP device, enter the following command from any level 
oftheCLI: 

HP9300> show logging 

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) 
Buffer logging: level ACDMEINW, 3 messages logged 
level code: A=alert C=critical D=debugging M=emergency E=error 
I=inf ormational N=notif ication W=warning 

Static Log Buffer: 

Dec 15 19 : 04 : 14 :A: Fan 1, fan on right connector, failed 
Dynamic Log Buffer (50 entries) : 

Dec 15 18 : 46 : 17 : I : Interface ethernet4 , state up 

Dec 15 18 : 45 : 21 : I : Bridge topology change, vlan 4095, interface 4, changed 

state to forwarding 

Dec 15 18:45:15:I:Warm start 

Syntax: show logging 

The value "ACDMEINW" indicates message levels that are enabled. Each letter represents a message type and 
is identified by the key below the value. For examples of Syslog messages, see the Command Line Interface 
Reference. 

USING THE WEB MANAGEMENT INTERFACE 

To configure Syslog parameters using the Web management interface, use the following procedure: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select Management from the System configuration sheet to display the Management panel. 

3. Select the System Log link to display the following panel. 
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System Log 



Logging: 


O Disable Enable 


Buffer Size: 


[so 


Server IP Address: 


|o. 0.0.0 






Facility: 


| user 


Accept Severity: 


R alert 
17 cntical 
17 debugging 
17 emergency 
17 error 
17 informational 
W. notification 
17 warning 



Apply | Reset | 



[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

4. Select Disable or Enable next to Logging to disable or enable the Syslog service on the device. The service 
is enabled by default. 

5. Optionally change the number of entries the local Syslog buffer can hold. The buffer size can be from 
50-100. The default is 50. 



NOTE: A change in the buffer size takes effect only after you restart the system. The buffer size does not 
affect how many entries the device can log on a SyslogD server. The number of entries the device can log on 
the server depends on the server's configuration. 



6. Enter the IP address of your SyslogD server, if you want the device to log messages on the SyslogD server 
as well as in the local buffer. 

7. Select the messages facility. The default is User. For a list of values, display the pulldown menu or see 
"Changing the Log Facility" on page 9-16. 

8. Select the message levels you want the device to log. All the levels are logged by default. 

9. Click Apply to save the changes to the device's running-config file. 

10. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Clearing the Syslog Messages from the Local Buffer 

To clear the Syslog messages stored in the HP device's local buffer, enter the following command from the 
Privileged EXEC level the CLI: 

HP9300# clear logging 

Syntax: clear logging 

USING THE WEB MANAGEMENT INTERFACE 

To clear Syslog messages using the Web management interface, use the following procedure: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Command in the tree view to display the command options. 

3. Select the Clear link to display the Clear panel. 
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4. Click on the checkbox next to System Logging to place a checkmark in the box. 

5. Click Apply to clear the log. 

Changing the Default Gigabit Negotiation Mode 

You can configure the default Gigabit negotiation mode to be one of the following: 

• Negotiate-full-auto - The port first tries to perform a handshake with the other port to exchange capability 
information. If the other port does not respond to the handshake attempt, the port uses the manually 
configured configuration information (or the defaults if an administrator has not set the information). This is 
the default. 

• Auto-Gigabit - The port tries to perform a handshake with the other port to exchange capability information. 

• Negotiation-off - The port does not try to perform a handshake. Instead, the port uses configuration 
information manually configured by an administrator. 

Although the standard for 1 0OBase-Tx ports provides an option for a negotiating port to link with a non-negotiating 
port, the 802. 3x standard for Gigabit ports does not provide this option. As a result, unless the ports at both ends 
of a Gigabit Ethernet link use the same mode (either auto-Gigabit or negotiation-off), the ports cannot establish a 
link. An administrator must intervene to manually configure one or both sides of the link to enable the ports to 
establish the link. 

The software provides a solution by changing the default negotiation behavior for Gigabit Ethernet ports. The new 
default behavior allows a port to establish a link with another port whether the other port is configured for auto- 
Gigabit or negotiation-off. By default, Gigabit Ethernet ports first attempt auto-Gigabit. If auto-Gigabit does not 
succeed (typically because the port at the other end is not configured for auto-Gigabit), the port switches to 
negotiation-off. 

Changing the Negotiation Mode 

You can change the negotiation mode globally and for individual ports. Use either of the following methods. 
USING THE CLI 

To change the mode globally, enter a command such as the following: 

HP9300 (conf ig) # gig-default neg-off 

This command changes the global setting to negotiation-off. The global setting applies to all Gigabit Ethernet 
ports except those for which you set a different negotiation mode on the port level. 

To change the mode for individual ports, enter commands such as the following: 

HP9300 (conf ig) # int ethernet 4/1 to 4/4 

HP9300 (conf ig-mif -4/1-4/4) # gig-default auto-gig 

This command overrides the global setting and sets the negotiation mode to auto-Gigabit for ports 4/1 - 4/4. 

Here is the syntax for globally changing the negotiation mode. 

Syntax: gig-default neg-full-auto I auto-gig I neg-off 

Here is the syntax for changing the negotiation mode on individual ports. 

Syntax: gig-default neg-full-auto I auto-gig I neg-off 

USING THE WEB MANAGEMENT INTERFACE 

To change the global default: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Advance link to display the advanced System parameters panel. 

3. Select one of the following values from the Gig Port Default field's pulldown menu: 
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• Neg-off - The port does not try to perform a handshake. Instead, the port uses configuration information 
manually configured by an administrator. 

Auto-Gig - The port tries to perform a handshake with the other port to exchange capability information. 

Neg-Full-Auto - The port first tries to perform a handshake with the other port to exchange capability 
information. If the other port does not respond to the handshake attempt, the port uses the manually 
configured configuration information (or the defaults if an administrator has not set the information). 

4. Click Apply to save the changes to the device's running-config file. 

5. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

To override the global negotiation mode for an individual port: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select one of the following values from the Gig Port Default field's pulldown menu: 

Default - The port uses the negotiation mode that was set at the global level. 

• Neg-off - The port does not try to perform a handshake. Instead, the port uses configuration information 
manually configured by an administrator. 

• Auto-Gig - The port tries to perform a handshake with the other port to exchange capability information. 

• Neg-Full-Auto - The port first tries to perform a handshake with the other port to exchange capability 
information. If the other port does not respond to the handshake attempt, the port uses the manually 
configured configuration information (or the defaults if an administrator has not set the information). 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Limiting Broadcast, Multicast, or Unknown-Unicast Rates 

HP devices forward all traffic at wire speed. However, some third-party networking devices cannot handle high 
forwarding rates for these types of packets. You can limit the number of broadcast, multicast, or unknown-unicast 
packets an HP device forwards each second using the following methods. 

The limits are individually configurable for broadcasts, multicasts, and unknown-unicasts. 



NOTE: By default, IP Multicast (including IGMP) is disabled. You can enable it using the ip multicast passive I 
active command. As long as IP Multicast is enabled (regardless of whether it is passive or active), no IP Multicast 
packets (not even IGMP packets) are limited. See "Configuring IP Multicast Traffic Reduction (HP 6208M-SX 
only)" on page 9-47. 



Limiting Broadcasts 

To limit the number of broadcast packets an HP device can forward each second, use the following CLI method. 
USING THE CLI 

To globally limit the number of broadcast packets an HP 9304M or HP 9308M routing switch forwards to 100,000 
per second, enter the following command at the global CONFIG level of the CLI: 

HP9300 (conf ig) # broadcast limit 100000 

HP9300 (conf ig) # write memory 
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To limit the number of broadcast packets sent on port 1/3 to 80,000, enter the following commands: 

HP9300 (conf ig) # int ethernet 1/3 

HP9300 (conf ig-if -1/3) # broadcast limit 80000 

HP9300 (conf ig-if- 1/3 ) # write memory 

USING THE WEB MANAGEMENT INTERFACE 

You cannot perform this procedure using the Web management interface. 
Limiting Multicasts 

To limit the number of multicast packets an HP device can forward each second, use the following CLI method. 
USING THE CLI 

To globally limit the number of multicast packets an HP 9304M or HP 9308M routing switch forwards to 120,000 
per second, enter the following command at the global CONFIG level of the CLI: 

HP9300 (conf ig) # multicast limit 120000 

HP9300 (conf ig) # write memory 

To limit the number of multicast packets sent on port 3/6 to 55,000, enter the following commands: 

HP9300 (conf ig) # int ethernet 3/6 

HP9300 (conf ig-if -3/6) # multicast limit 55000 

HP9300 (conf ig-if -3/6) # write memory 

USING THE WEB MANAGEMENT INTERFACE 

You cannot perform this procedure using the Web management interface. 
Limiting Unknown Unicasts 

To limit the number unknown unicast packets an HP device can forward each second, use the following CLI 
method. 

USING THE CLI 

To globally limit the number of unknown unicast packets an HP 9304M or HP 9308M routing switch forwards to 
110,000 per second, enter the following command at the global CONFIG level of the CLI: 

HP9300 (conf ig) # unknown -unicast limit 110000 

HP9300 (conf ig) # write memory 

To limit the number of unknown unicast packets sent on port 4/2 to 40,000, enter the following commands: 

HP9300 (conf ig) # int ethernet 4/2 

HP9300 (conf ig-if -4/2) # unknown -unicast limit 40000 
HP9300 (conf ig-if -4/2) # write memory 
USING THE WEB MANAGEMENT INTERFACE 

You cannot perform this procedure using the Web management interface. 

Configuring CLI Banners 

HP devices can be configured to display a greeting message on users' terminals when they enter the Privileged 
EXEC CLI level or access the device through Telnet. In addition, an HP device can display a message on the 
Console when an incoming Telnet CLI session is detected. 
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Setting a Message of the Day Banner 

You can configure the HP device to display a message on a user's terminal when he or she establishes a Telnet 
CLI session. For example, to display the message "Welcome to HP 9304M or HP 9308M!" when a Telnet CLI 
session is established: 

HP9300 (conf ig) # banner motd $ (Press Return) 

Enter TEXT message, End with the character '$' . 

Welcome to HP 9308M! $ 

A delimiting character is established on the first line of the banner motd command. You begin and end the 
message with this delimiting character. The delimiting character can be any character except " (double-quotation 
mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in 
between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and 
can consist of multiple lines. To remove the banner, enter the no banner motd command. 

Syntax: [no] banner <delimiting-character> I [motd <delimiting-character>] 



NOTE: The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character> 
command. 



When you access the Web management interface, the banner is displayed: 




Setting a Privileged EXEC CLI Level Banner 

You can configure the HP device to display a message when a user enters the Privileged EXEC CLI level. For 
example: 

HP9300 (conf ig) # banner exec_mode # (Press Return) 
Enter TEXT message, End with the character '#' . 
You are entering Privileged EXEC level 
Don't foul anything up! # 

As with the banner motd command, you begin and end the message with a delimiting character; in this example, 
the delimiting character is # (pound sign). To remove the banner, enter the no banner exec_mode command. 

Syntax: [no] banner exec_mode <delimiting-character> 

Displaying a Message on the Console When an Incoming Telnet Session Is Detected 

You can configure the HP device to display a message on the Console when a user establishes a Telnet session. 
This message indicates where the user is connecting from and displays a configurable text message. 

For example: 

HP9300 (conf ig) # banner incoming $ (Press Return) 
Enter TEXT message, End with the character '$' . 
Incoming Telnet Session!! $ 

When a user connects to the CLI using Telnet, the following message appears on the Console: 

Telnet from 209.157.22.63 
Incoming Telnet Session!! 

Syntax: [no] banner incoming <delimiting-character> 

To remove the banner, enter the no banner incoming command. 
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Configuring Basic Port Parameters 

The procedures in this section describe how to configure the following port parameters: 

• Name - see "Assigning a Port Name" on page 9-24 

• Speed - see "Modifying Port Speed" on page 9-25 

• Mode (half-duplex or full-duplex) - see "Modifying Port Mode" on page 9-26 

• Status - see "Disabling or Re-Enabling a Port" on page 9-26 

• Flow control - see "Disabling or Re-Enabling Flow Control" on page 9-27 

• Gigabit negotiate mode - see "Changing the 802. 3x Gigabit Negotiation Mode" on page 9-28 

• QoS priority - see "Modifying Port Priority (QoS)" on page 9-29 

NOTE: To modify Layer 2, Layer 3, or Layer 4 features on a port, see the appropriate section in this chapter or 
other chapters. 

All HP ports are pre-configured with default values that allow the device to be fully operational at initial startup 
without any additional configuration. However, in some cases, changes to the port parameters may be necessary 
to adjust to attached devices or other network requirements. 

The current port configuration for all ports is displayed when you select the Port link from the Configure tree. You 
can easily determine a port's state by observing the color in the Port field. 

• Red - indicates there is no link. 

• Green - indicates the link is good. 

This example shows the port states for an HP 9304M or HP 9308M routing switch that has not yet been connected 
to the rest of the network. 
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Click on the Copy or Modify button next to a row of port information to display a configuration panel for that port. 

• Select Modify to change parameters for a port. 

• Select Copy to apply a port's parameter settings to another port. 
Here is an example of the Port configuration panel. 



Port 


Slot:4 Port:24 MAC:00-eO-52-fO-4f-00 
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[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



NOTE: A slot option appears on the chassis port configuration sheet. Slot corresponds to a module slot number. 
See "Slot and Port Numbers" on page 8-8. 



NOTE: The IEEE Tagging option appears only on the Port configuration sheet when tagging is enabled at the 
system level and a VLAN is defined on the system. 



NOTE: The port speed option 1 Gbps is displayed only when a 1000BaseSX, 1000BaseLX, or 1000BaseT 
Gigabit port or module is resident on the device. Additionally, only the full-duplex mode is visible. When a 10/ 
100BaseTX Ethernet port or module is being configured, the options are 10/100 Auto, 10 Mbps, and 100 Mbps. 



Assigning a Port Name 

A port name can be assigned to help identify interfaces on the network. You can assign a port name to physical 
ports, virtual interfaces, and loopback interfaces. 

USING THE CLI 

To assign a name to a port: 

HP9300 (conf ig) # interface e 2/8 

HP9300 (conf ig-if -2/8) # port-name Marsha Marketeer 
Syntax: port-name <text> 

The <text> parameter is an alphanumeric string. The name can be up to 255 characters long. The name can 
contain blanks. You do not need to use quotation marks around the string, even when it contains blanks. 
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USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Enter a name in the Name field. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Modifying Port Speed 

Each of the 10BaseT/100BaseTX ports is designed to auto-sense and auto-negotiate the speed and mode of the 
connected device. If the attached device does not support this operation, you can manually enter the port speed 
to operate at either 1 0 Mbps or 1 00 Mbps. The default value for 1 0BaseT/1 OOBaseTX ports is 1 0/1 00 Auto-sense. 

The 100BaseFX ports operate in the full-duplex mode at 100 Mbps only and cannot be modified. 

The 1000BaseSX, 1000BaseLX, and 1000BaseT ports operate in the full-duplex mode at one Gigabit only and 
cannot be modified. 

USING THE CLI 

To change the port speed of interface 8 from the default of 10/100 auto-sense to 10 Mbps operating at full-duplex, 
enter the following: 

HP9300 (conf ig) # interface e8 

HP9300 (conf ig-if -8) # speed-duplex 10-full 

Syntax: speed-duplex <value> 

The <value> can be one of the following: 

• 10-full 
10-half 

• 100-full 

• 100-half 

• auto 

The default is auto. 

USING THE WEB MANAGEMENT INTERFACE 
To modify port speed: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Click next to Full Duplex if you want to change the mode to full-duplex only. (This applies only to 10/100 
ports.) 

6. Click Disable or Enable next to Auto Negotiate to enable or disable auto-negotiation. 

7. Click Apply to save the changes to the device's running-config file. 
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8. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Modifying Port Mode 

You can configure a port to accept either full-duplex (bi-directional) or half-duplex (uni-directional) traffic. This 
option is available only for 10/100 Mbps ports. The 100BaseFX, 1000BaseSx, and 1000BaseLx ports operate 
only at full-duplex. 

USING THE CLI 

Port duplex mode and port speed are modified by the same command. 

To change the port speed of interface 8 from the default of 10/100 auto-sense to 10 Mbps operating at full-duplex, 
enter the following: 

HP9300 (conf ig) # interface e8 

HP9300 (conf ig-if -8) # speed-duplex 10-full 

Syntax: speed-duplex <value> 

The <value> can be one of the following: 

• 10-full 

• 10-half 

• 100-full 

• 100-half 

• auto 

The default is auto. 

USING THE WEB MANAGEMENT INTERFACE 
To modify port mode: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Click next to Full Duplex to select or de-select full duplex mode. Full-duplex mode is selected when the radio 
button (small circle) next to Full Duplex contains a black dot. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Disabling or Re-Enabling a Port 

The port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default 
value for a port is enabled. 

USING THE CLI 

To disable port 8 on module 1 of an HP Chassis device, enter the following: 

HP9300 (conf ig) # interface e 1/8 
HP9300 (conf ig-if -1/8) # disable 
Syntax: disable 
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Syntax: enable 

You also can disable or re-enable a virtual interface. To do so, enter commands such as the following: 

HP9300 (conf ig) # interface ve vl 
HP9300 (conf ig-vif -1) # disable 

Syntax: disable 

To re-enable a virtual interface, enter the enable command at the Interface configuration level. For example, to 
re-enable virtual interface v1 , enter the following command: 

HP9300 (conf ig-vif -1) # enable 

Syntax: enable 

USING THE WEB MANAGEMENT INTERFACE 
To disable or enable a port: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select either Enable or Disable option next to the Status option. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

NOTE: You cannot disable or re-enable a virtual interface using the Web management interface. 

Disabling or Re-Enabling Flow Control 

You can configure full-duplex ports on a system to operate with or without flow control (802.3x). Flow control is 
enabled by default. 

USING THE CLI 

To disable flow control on full-duplex ports on a system, enter the following: 

HP9300 (conf ig) # no flow-control 
To turn the feature back on: 
HP9300 (conf ig) # flow-control 
Syntax: [no] flow-control 

USING THE WEB MANAGEMENT INTERFACE 

To disable or enable flow control on full-duplex ports on a system: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select either Enable or Disable next to Flow Control. 

6. Click Apply to save the changes to the device's running-config file. 
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7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Changing the 802. 3x Gigabit Negotiation Mode 

The globally configured Gigabit negotiation mode for 802.3x flow control is the default mode for all Gigabit ports. 
You can override the globally configured default and set individual ports to the following: 

• Negotiate-full-auto - The port first tries to perform a handshake with the other port to exchange capability 
information. If the other port does not respond to the handshake attempt, the port uses the manually 
configured configuration information (or the defaults if an administrator has not set the information). This is 
the default. 

Auto-Gigabit - The port tries to perform a handshake with the other port to exchange capability information. 

• Negotiation-off - The port does not try to perform a handshake. Instead, the port uses configuration 
information manually configured by an administrator. 

USING THE CLI 

To change the mode for individual ports, enter commands such as the following: 

HP9300 (conf ig) # int ethernet 4/1 to 4/4 

HP9300 (config-mif -4/1-4/4) # gig-default auto-gig 

This command overrides the global setting and sets the negotiation mode to auto-Gigabit for ports 4/1 - 4/4. 
Syntax: gig-default neg-full-auto I auto-gig I neg-off 
USING THE WEB MANAGEMENT INTERFACE 

To override the global 802.3x negotiation mode for an Gigabit individual port on a Chassis device: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select one of the following values from the Gig Port Default field's pulldown menu: 

Default - The port uses the negotiation mode that was set at the global level. 

• Neg-off - The port does not try to perform a handshake. Instead, the port uses configuration information 
manually configured by an administrator. 

• Auto-Gig - The port tries to perform a handshake with the other port to exchange capability information. 

• Neg-Full-Auto - The port first tries to perform a handshake with the other port to exchange capability 
information. If the other port does not respond to the handshake attempt, the port uses the manually 
configured configuration information (or the defaults if an administrator has not set the information). 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 



NOTE: You also can access the dialog for saving configuration changes by clicking on Command in the tree 
view, then clicking on Save to Flash . 
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Modifying Port Priority (QoS) 

You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on 
those ports. For information and procedures, see the "Quality of Service (QoS)" chapter in the Advanced 
Configuration and Management Guide. 

Configuring Basic Layer 2 Parameters 

The procedures in this section describe how to configure the following Layer 2 parameters. Note that some of 
these parameters apply only to HP switches, not HP routing switches. 

• Layer 2 switching of unsupported router protocols (routing switches only) - see "Enabling or Disabling Layer 
2 Switching (routing switches only)" on page 9-29 

• Aging time for learned MAC address entries - see "Changing the MAC Age Time" on page 9-30 

• Static, non-aging MAC address entries - see "Configuring Static MAC Entries" on page 9-31 

• Trunk groups - see "Configuring Trunk Groups" on page 9-34 

• Port-based VLANs - see "Enabling Port-Based VLANs" on page 9-32 

• Layer 2 IP Multicast Traffic Reduction feature (switches only) - see "Configuring IP Multicast Traffic 
Reduction (HP 6208M-SX only)" on page 9-47 

NOTE: This section does not describe the IP Multicast features on HP routing switches. For information 
about these features, see the "Configuring IP Multicast Protocols" chapter in the Advanced Configuration and 
Management Guide. 

• MAC address filters - see "Defining MAC Address Filters" on page 9-51 

Broadcast and Multicast Filters - see "Defining Broadcast and Multicast Filters" on page 9-55 
Port locks - see "Locking a Port To Restrict Addresses" on page 9-57 

Enabling or Disabling Layer 2 Switching (routing switches only) 

By default, HP routing switches support Layer 2 switching. These devices switch the routing protocols that are not 
supported on the devices. If IPX routing is not enabled, then IPX traffic also is switched. By default IPX routing is 
disabled. If you want to disable Layer 2 switching, you can do so globally or on individual ports. 



NOTE: Make sure you really want to disable all Layer 2 switching operations before you use this option. Consult 
your reseller or Hewlett-Packard for information. 

USING THE CLI 

To globally disable Layer 2 switching on a routing switch, enter commands such as the following: 

HP9300 (conf ig) # route-only 
HP9300 (conf ig) # exit 
HP9300# write memory 
HP9300# reload 

To re-enable Layer 2 switching on a routing switch, enter the following: 

HP9300 (conf ig) # no route-only 
HP9300 (conf ig) # exit 
HP9300# write memory 
HP9300# reload 
Syntax: [no] route-only 
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To disable Layer 2 switching only on a specific interface, go to the Interface configuration level for that interface, 
then disable the feature. The following commands show how to disable Layer 2 switching on port 3/2: 

HP9300 (conf ig) # interface ethernet 3/2 
HP93 00 (conf ig- if -3/2) # route -only 

Syntax: [no] route-only 

To re-enable Layer 2 switching, enter the command with "no", as in the following example: 

HP9300 (conf ig-if -3/2) # no route-only 
USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select Enable or Disable next to L2 Switching. 

3. Click Apply to save the changes to the device's running-config file. 

4. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

To disable or re-enable Layer 2 switching for an individual port: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select Disable or Enable next to Route Only. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Changing the MAC Age Time 

This parameter sets the aging period for ports on the device, defining how long a port address remains active in 
the address table. This parameter value can be 0 or a number from 67 - 65535 seconds. The zero value results 
in no address aging. The default value for this field is 300 (seconds). 

USING THE CLI 

To change the aging period for MAC addresses from the default value of 300 seconds to 600 seconds: 

HP9300 (conf ig) # mac-age-time 600 

Syntax: [no] mac-age-time <age-time> 

The <age-time> can be 0 or a number from 67 - 65535. 

USING THE WEB MANAGEMENT INTERFACE 

To change the aging period for MAC addresses to 600 seconds: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Advance link. 

3. Enter the new age in the Switch Age Time field. You can enter a value from 0 - 65535. 

4. Click Apply to save the changes to the device's running-config file. 
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5. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Configuring Static MAC Entries 

This section describes how to configure static MAC addresses. 



NOTE: HP routing switches also support the assignment of static IP Routes, static ARP, and static RARP 
entries. For details on configuring these types of static entries, see the "Configuring IP" chapter in the Advanced 
Configuration and Management Guide. 



You can manually input the MAC address of a device to prevent it from being aged out of the system address 
table. 

This option can be used to prevent traffic for a specific device, such as a server, from flooding the network with 
traffic when it is down. Additionally, the static MAC address entry is used to assign higher priorities to specific 
MAC addresses. 

You can specify port priority (QoS) and VLAN membership (VLAN ID) for the MAC Address as well as specify 
device type of either router or host. 



NOTE: The device type parameter "router" or "host" is not supported on routing switches when assigning static 
MAC addresses. This parameter is available only on the HP 6208M-SX. 

The default and maximum configurable MAC table sizes can differ depending on the device. To determine the 
default and maximum MAC table sizes for your device, display the system parameter values. See "Displaying and 
Modifying System Parameter Default Settings" on page 9-58. 

EXAMPLE: 

To add a static entry for a server with a MAC address of 1145.5563.67FF and a priority of 7 to port 2 of module 1 
of an HP 9304M or HP 9308M routing switch: 

USING THE CLI 

HP9300 (conf ig) # static-mac-address 1145 . 5563 . 67FF e 1/2 priority 7 

Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type I router-type] 

The priority can be 0 - 7 (0 is lowest priority and 7 is highest priority). The default priority is 0. The default type is 
host-type. 



NOTE: The location of the static-mac-address command in the CLI depends on whether you configure port- 
based VLANs on the device. If the device does not have more than one port-based VLAN (VLAN 1 , which is the 
default VLAN that contains all the ports), the static-mac-address command is at the global CONFIG level of the 
CLI. If the device has more than one port-based VLAN, then the static-mac-address command is not available 
at the global CONFIG level. In this case, the command is available at the configuration level for each port-based 
VLAN. 



USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the list of configuration options. 

3. Select the Static Station link. 

If the system already contains static MAC addresses and you are adding a new static MAC address, click 
on the Add Static Station link to display the Static Station Table configuration panel, as shown in the 
following example. 

• If you are modifying an existing static MAC address, click on the Modify button to the right of the row 
describing the static MAC address to display the Static Station Table configuration panel, as shown in 
the following example. 
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4. Enter or edit the MAC address, if needed. Specify the address in the following format: 
xx-xx-xx-xx-xx-xx, 

5. Change the VLAN number if needed by editing the value in the VLAN ID field. 

6. Select the port number from the Slot (for Chassis devices) and Port pulldown lists. 

7. Select a QoS level from 0-7 from the QoS field's pulldown menu. For information about QoS, see the 
"Quality of Service (QoS)" chapter in the Advanced Configuration and Management Guide. 

8. Click the Add button (to add a new static MAC entry) or the Modify button (if you are modifying an existing 
entry) to save the change to the device's running-config file. 

9. Click the Apply button to save the change to the device's running-config file. 

10. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration 
change to the startup-config file on the device's flash memory. 

Enabling Port-Based VLANs 

Port and protocol VLANs must first be enabled at the system (global) level before they can be configured at the 
VLAN level. For details on configuring VLANs, see the "Configuring Virtual LANs (VLANs)" chapter in the 
Advanced Configuration and Management Guide. 

USING THE CLI 

When using the CLI, port and protocol-based VLANs are created by entering one of the following commands at 
the global CONFIG level of the CLI. 

To create a port-based VLAN, enter commands such as the following: 

HP9300 (conf ig) # vlan 222 by port 
HP9300 (conf ig) # vlan 222 name Mktg 
Syntax: vlan <num> by port 
Syntax: vlan <num> name <string> 

The <num> parameter specifies the VLAN ID. The valid range for VLAN IDs starts at 1 on all systems but the 
upper limit of the range differs depending on the device. In addition, you can change the upper limit on some 
devices using the vlan max-vlans... command. See the Command Line Interface Reference. 

The <string> parameter is the VLAN name and can be a string up to 16 characters. You can use blank spaces in 
the name if you enclose the name in double quotes (for example, "Product Marketing".) 

NOTE: The second command is optional and also creates the VLAN if the VLAN does not already exist. You 
can enter the first command after you enter the second command if you first exit to the global CONFIG level of the 
CLI. 
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USING THE WEB MANAGEMENT INTERFACE 

To enable port-based VLANs on the switch or routing switch: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the box next to Port, next to Policy Based VLANs. 

3. Click Apply to save the changes to the device's running-config file. 

4. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Assigning IEEE 802.1 q Tagging to a Port 

When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common 
use for this might be to place an email server that multiple groups may need access to on a tagged port, which in 
turn, is resident in all VLANs that need access to the server. 

NOTE: Tagging is disabled by default on individual ports. 
NOTE: Tagging does not apply to the default VLAN. 

For details on configuring port-based VLANs, see the "Configuring Virtual LANs (VLANs)" chapter in the 
Advanced Configuration and Management Guide. 

USING THE CLI 

When using the CLI, ports are defined as either tagged or untagged at the VLAN level. 
EXAMPLE: 

Suppose you want to make port 5 on module 1 a member of port-based VLAN 4, a tagged port. To do so, enter 
the following: 

HP9300 (conf ig) # vlan 4 

HP9300 (conf ig-vlan-4) # tagged e 1/5 

Syntax: tagged ethernet <portnum> [to <portnum> [ethernet <portnum>]] 
USING THE WEB MANAGEMENT INTERFACE 
To apply 802. 1q tagging to a port: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select Enable next to IEEE Tagging. 

NOTE: This option appears only if you are modifying a port that is a member of a port-based VLAN other 
than the default VLAN. Tagging does not apply to ports that are not in a port-based VLAN and does not apply 
to the default VLAN. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 
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Configuring Trunk Groups 

The Trunk Group feature allows you to establish multiple high-speed load-sharing links between two HP switches 
or routing switches or between an HP switch or routing switch and a server. You can configure from 2-4 ports as 
a trunk group, supporting transfer rates of up to 4 Gbps of bi-directional traffic. 

In addition, on the HP 9304M and HP 9308M, you can configure up to eight ports on two Gigabit Ethernet modules 
as a multi-module trunk group. Figure 9.2 shows an example of a configuration that uses trunk groups. 

In addition to enabling load sharing of traffic, trunk groups provide redundant, alternate paths for traffic if any of the 
segments fail. 



HP Switch 4000 




Power Users 
Dedicated 100 Mbps 




Super 
Server 



Figure 9.2 Trunk Group application within an HP routing switch network 



NOTE: The ports in a trunk group make a single logical link. Therefore, all the ports in a trunk group must be 
connected to the same device at the other end. 



Trunk Group Connectivity to a Server 

To support termination of a trunk group, the server must have either multiple network interface cards (NICs) or a 
dual or quad interface card installed. The trunk server is designated as a server with multiple adapters or a single 
adapter with multiple ports that share the same MAC and IP address. Figure 9.3 shows an example of a trunk 
group between a server and an HP device. 
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Figure 9.3 Trunk group between a server and a switch or routing switch 

Trunk Group Rules 

• You can configure up to 64 trunk groups on a Chassis device, and up to four trunk groups on the Fixed-port 
devices. 

• Each trunk group must start with a primary port. The primary port is always the lowest number in the port 
range. For example, on the J4140A 10/100 module: 

Ranges for four-port trunk groups: 1-4,5-8,9-15,16-20,21-24 

Ranges for two-port trunk groups: 1 - 2, 3 -4, 5 - 6, 7 - 8, 9 - 10, 11 - 12, 13 - 14, 15 - 16, 17 - 18, 19 
- 20, 21 - 22, 23 - 24 



NOTE: You can configure up to 12 trunk groups on an HP 9304M or HP 9308M 24-port 10/100 module. 
The 24-port 1 0/1 00 modules have the following primary ports: 1,3,5,7,9,11,13,15,17,19,21, and 23. 
See Figure 9.6. 



• Port assignment must be contiguous. The port range cannot contain gaps. For example, you can configure 
ports 1,2,3, and 4 together as a trunk group but not ports 1 , 3, and 4 (excluding 2). 

• Port assignment cannot be across multiple trunk group boundaries. For example, on a Fixed-port device, 
ports 4 and 5 cannot be in the same trunk group. 

• All the ports must be connected to the same device at the other end. 

• All trunk group member properties must match the lead port of the trunk group with respect to the following 
parameters: 

• Port tag type (untagged or tagged port) 

• Port speed and duplex 

• QoS priority 
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To change port parameters, you must change them on the primary port. The software automatically applies 
the changes to the other ports in the trunk group. 

Figure 9.4 shows some examples of valid 2-port trunk group links between devices. The trunk groups in this 
example are switch trunk groups, between two HP devices. Ports in a valid 2-port trunk group on one device are 
connected to two ports in a valid 2-port trunk group on another device. The same rules apply to 4-port trunk 
groups. 
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Figure 9.5 shows example of two Chassis devices connected by multi-slot trunk groups. 




Figure 9.5 Examples of multi-slot trunk groups 
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Figure 9.6 shows the valid 2-port and 4-port trunk groups on chassis 10/100 modules. 



Valid 2-port trunk groups 




Valid 4-port trunk groups 



Figure 9.6 Valid 2-port and 4-port trunk groups on chassis 10/100 modules 

Additional Trunk Group Rules for Gigabit Ethernet Modules on Chassis Devices 

• You can configure a multi-slot trunk group on two Gigabit Ethernet modules. 

• You can configure a maximum of eight ports in the trunk group. 

• You can configure up to two groups of ports to make the trunk group and the groups must be alike. For 
example, you can group two sets of two ports together or two sets of four ports together but you cannot group 
a set of two ports with a set of four ports. Each group of ports can contain two or four ports. 

• Each group of ports must begin with a primary port. On Gigabit Ethernet modules, the primary ports are 1 , 3, 
5, and 7. 

• When you specify the ports in the trunk group, you must specify them in ascending numerical order, 
beginning with the primary port. For example, to specify a group containing ports 1/1 - 1/4 and 3/1 - 3/4, you 
must specify them in the order shown. You cannot specify 3/1 - 3/4 first. 

• Port configuration for each trunk group is based on the configuration of the primary port. To change port 
parameters, you must change them on the primary port. The software automatically applies the changes to 
the other ports in the trunk group. 

Trunk Group Load Sharing 

When you configure a trunk group, you specify whether the trunk group is a "switch" trunk group or a "server" trunk 
group: 

• Switch trunk group - Use this type of trunk group to connect one HP switch or routing switch to another HP 
switch or routing switch. 

• Server trunk group - Use this type of trunk group to connect an HP switch or routing switch to a file server or 
single host device. 

The HP device load shares across the ports in the trunk group. 
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Table 9.3: HP Trunk Group Load Sharing - Routing Switches 
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Table 9.4: HP Trunk Group Load Sharing - Switch 
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Configuring a Trunk Group 

1 . Disconnect the cables from those ports on both systems that will be connected by the trunk group. Do not 
configure the trunk groups with the cables connected. 

NOTE: If you connect the cables before configuring the trunk groups and then rebooting, the traffic on the 
ports can create a spanning tree loop. 

2. Configure the trunk group on one of the two switches or routing switches involved in the configuration. Save 
this configuration to flash and reboot the system. 

NOTE: Hewlett-Packard recommends that you reload the software immediately after saving a trunk group 
configuration to the startup-config file, before making further configuration changes. 

3. If the device at the other end of the trunk group is another Layer 2 or routing switch, repeat Step 2 for the 
other device. 

4. When both devices are reset (re-booted) and operational, reconnect the cables to those ports that are now 
configured as trunk groups, starting with the first port (lead port) of each trunk group. 

5. To verify the connection is operational, use the show trunk command. 
Example 1: Configuring the Trunk Groups Shown in Figure 9.2 

To configure the trunk groups shown in Figure 9.2, enter the following commands. Notice that the commands are 
entered on multiple devices. 

USING THE CLI 

To configure the trunk group link between RouteM and Router2 in Figure 9.2 on page 9-34, enter the following 
commands. 
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NOTE: The text shown in italics in the CLI example below shows messages echoed to the screen in answer to 
the CLI commands entered. 

Enter these commands on Routerl : 

HP9304 (conf ig) # trunk switch e 1/1 to 1/2 

Trunk 2 is created for next power cycle. 

Please save configuration to flash and reboot. 

HP9304 (conf ig) # write memory 

Write startup-conf ig in progress. 

.Write startup-conf ig done. 

HP9304 (conf ig) # exit 

HP9304# reload 

Enter these commands on Router2: 

HP9304 (conf ig) # trunk server e 4/1 to 4/2 

Trunk 0 is created for next power cycle. 

Please save configuration to flash and reboot. 

HP9304 (conf ig) # write memory 

Write startup-conf ig in progress. 

.Write startup-conf ig done. 

HP9304 (conf ig) # exit 

HP9304# reload 

Syntax: trunk server I switch ethernet <portnum> to <portnum> 

You then configure the trunk group on the HP ProCurve Switch 4000M. For more information, see the 
documentation for the HP ProCurve Switch 4000M. 

USING THE NETWORK MANAGEMENT INTERFACE 

To configure ports 5 - 8 as a trunk group between two switches, two routing switches, or a switch or routing switch 
and a server: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

• If the device does not have any trunk groups configured, the Trunk configuration panel is displayed, as 
shown in the following example. 

• If a trunk group is already configured and you are adding a new one, click on the Add Trunk Group link to 
display the Trunk configuration panel, as shown in the following example. 

• If you are modifying an existing trunk group, click on the Modify button to the right of the row describing 
the trunk group to display the Trunk configuration panel, as shown in the following example. 
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NOTE: The panel lists port ranges only for the slots that contain an active module. In addition, only the 
ranges that are valid for the module are listed. 

The port ranges listed by the panel contain four ports, but the default number of ports in a group is two. If you 
select a group and leave the number of ports in a group at two, the software assigns the first two ports in the 
group you select to the trunk group. The last two ports do not become members of the trunk group. 



3. Select a port range (for example, 5 - 8). On Chassis devices, the port numbers include the slot numbers. For 
example, you can select 1/5 - 1/8. 

4. Select the number of ports you want to use in the trunk group. You can select 2 or 4. 

5. Click in the checkbox next to Server to place a checkmark in the box if the other end of the trunk group is a 
server. If the other end of the connection is an HP switch or routing switch, do not click this checkbox. 

6. Click Apply to save the changes to the device's running-config file. 

7. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

8. Click on the plus sign next to Command in the tree view to list the command options. 

9. Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. 

10. If the other end of the trunk group is a switch or routing switch, log in to the other device and follow the steps 
above. 

Example 2: Configuring a Trunk Group That Spans Multiple Gigabit Ethernet Modules in a Chassis Device 

To configure a trunk group that spans two modules in an HP 9304M or HP 9308M Chassis device, use one of the 
following methods. 

USING THE CLI 

To configure a trunk group consisting of two groups of ports, 1/1 - 1/4 on module 1 and 4/5 - 4/8 on module 4, 
enter the following commands: 

HP9300 (conf ig) # trunk ethernet 1/1 to 1/4 ethernet 4/5 to 4/8 
HP9300 (conf ig) # write memory 
HP9300 (conf ig) # exit 
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HP9300# reload 



NOTE: HP recommends that you reload the software immediately after saving a trunk group configuration to flash 
memory, before making further configuration changes. 



Syntax: trunk [server I switch] ethernet <primary-portnum> to <portnum> ethernet <primary-portnum> to 
<portnum> 

The server I switch parameter specifies whether the trunk ports will be connected to a server or to another switch 
or routing switch. This parameter affects the type of load balancing performed by the device. See "Trunk Group 
Load Sharing" on page 9-38. The default is switch. 

Each ethernet parameter introduces a port group. 

The <primary-portnum> to <portnum> parameters specify a port group. Notice that each port group must begin 
with a primary port. After you enter this command, the primary port of the first port group specified (which must be 
the group with the lower port numbers) becomes the primary port for the entire trunk group. For Gigabit Ethernet 
modules, the primary ports are 1 , 3, 5, and 7. 

To configure a trunk group consisting of two groups of two ports each, enter commands such as the following: 

HP9300 (conf ig) # trunk ethernet 1/1 to 1/2 ethernet 3/3 to 3/4 
HP9300 (conf ig) # write memory 
HP9300 (conf ig) # exit 
HP9300# reload 

Notice that the groups of ports meet the criteria for a multi-slot trunk group. Each group contains the same 
number of ports (two) and begins on a primary port (1/1 and 3/3). 

USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Trunk link. 

• If the device does not have any trunk groups configured, the Trunk configuration panel is displayed, as 
shown in the following example. 

• If a trunk group is already configured and you are adding a new one, click on the Add Trunk Group link to 
display the Trunk configuration panel, as shown in the following example. 

• If you are modifying an existing trunk group, click on the Modify button to the right of the row describing 
the trunk group to display the Trunk configuration panel, as shown in the following example. 
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Trunk 



Please select 1 or 2 groups: 
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on each trunk group. 
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3/5-3/B _| 
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Number of Ports Per Group: 


2© AC 


Server: 


□ 



Add | Modify | Delete | Reset | 



rShowl 

Note: Will take effect after reboot. 
[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

4. Select a port range (for example, 5-8). On Chassis devices, the port numbers include the slot numbers. For 
example, you can select 1/5 - 1/8. 

5. Select 2 or 4 to indicate the number of ports in each group. Each group must have the same number of ports. 

6. Select the port groups. Each group begins with the primary port number for that group. To select two groups, 
click on the first group, then hold down the CTRL key and click on the second group. Do not select more than 
two groups. 

7. Select Server if you are connecting the trunk group ports to a server. Otherwise, the software assumes you 
are connecting the trunk group ports to another Layer 2 or routing switch and uses the default value Switch. 

8. Click Apply to save the changes to the device's running-config file. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

10. Click on the plus sign next to Command in the tree view to list the command options. 

1 1 . Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. 

12. If the other end of the trunk group is a switch or routing switch, log in to the other device and follow the steps 
above. 



NOTE: Hewlett-Packard recommends that you reload the software immediately after saving a trunk group 
configuration to flash memory, before making further configuration changes. 



Modifying Trunk Group Membership 

You can change port membership by removing individual ports from the trunk group. To remove a port from a 
trunk group, use one of the following methods. 

USING THE CLI 

To remove ports 1/3 and 1/4 from the trunk group, enter the following command: 

HP9300 (conf ig) # no trunk ethernet 1/3 to 1/4 

Syntax: no trunk ethernet <portnum> [to <portnum>] 

The <portnum> parameter indicates the port you are removing. 
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NOTE: Make sure you enter the lower port in the range before the "to" and the higher port in the range after the 
"to". 



As a shortcut, you also can enter just the lower port in the range. The software automatically removes all higher 
ports in addition to the specified port. For example, to remove ports 1/3 and 1/4, you can enter the following 
command: 

HP9300 (conf ig) # no trunk ethernet 1/3 

The rules regarding trunk group membership are the same as in earlier software releases. 
Therefore, for trunk group 1/1 - 1/4, the following commands are not valid: 

HP9300 (conf ig) # no trunk ethernet 1/2 
Or 

HP9300 (conf ig) # no trunk ethernet 1/2 to 1/4 

These commands are invalid because the trunk group cannot contain only a single port. These commands, if the 
software allowed them, would result in a trunk group consisting only of port 1/1. 

On most devices, trunk groups can contain two ports or four ports but cannot contain only three ports. Therefore, 
the following command also is invalid for trunk group 1/1 - 1/4: 

HP9300 (conf ig) # no trunk ethernet 1/4 

This command is invalid because it would result in a trunk group containing three ports, 1/1 - 1/3. 
USING THE WEB MANAGEMENT INTERFACE 

1 . Disconnect the ports to the server, switch, or routing switch at the other end of the trunk. 

2. Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

3. Click on the plus sign next to Configure in the tree view to display the configuration options. 

4. Select the Trunk link to display a table listing the configured trunk groups. 

5. Click the Modify button next to the trunk group you want to modify. The Trunk configuration panel is 
displayed. The panel contains the settings for the trunk group you selected. 

6. Select 2 or 4 to indicate the number of ports. 

7. Select Server if you are connecting the trunk group ports to a server. Otherwise, the software assumes you 
are connecting the trunk group ports to another switch or routing switch and uses the default value Switch. 

8. Click the Modify button. 

9. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

10. Click on the plus sign next to Command in the tree view to list the command options. 

1 1 . Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. 



NOTE: Hewlett-Packard recommends that you reload the software immediately after saving a trunk group 
configuration to flash memory, before making further configuration changes. 



NOTE: If you accidentally select a different port range by selecting a value in the Trunk Group field's pulldown 
menu, the software creates a new trunk group with the range and other values you select. 
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Deleting a Trunk Group 

To delete a trunk group, use either of the following methods. 
USING THE CLI 

To delete a trunk group, use "no" in front of the command you used to create the trunk group. For example, to 
remove one of the trunk groups configured in the examples above, enter the following command: 

HP9300 (conf ig) # no trunk ethernet 1/1 to 1/2 ethernet 3/3 to 3/4 

Syntax: no trunk ethernet <portnum> to <portnum> 

USING THE WEB MANAGEMENT INTERFACE 

To delete a trunk group: 

1 . Disconnect the ports to the server, switch, or routing switch at the other end of the trunk. 

2. Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

3. Click on the plus sign next to Configure in the tree view to display the configuration options. 

4. Select the Trunk link to display a table listing the configured trunk groups. 

5. Click the Delete button next to the trunk group you want to delete. 

6. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

7. Click on the plus sign next to Command in the tree view to list the command options. 

8. Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. 

NOTE: If the other end of the trunk group is a switch or routing switch, log in to the other system and follow 
the applicable steps above. 



Displaying Trunk Group Configuration Information 

To display configuration information for the trunk groups configured on the Chassis device, use one of the 
following methods. Each method displays information for configured trunk groups and operational trunk groups. 
A configured trunk group is one that has been configured in the software but has not been placed into operation by 
a reset or reboot. An operational trunk group is one that has been placed into operation by a reset or reboot. 

USING THE CLI 

Enter the following command at any CLI level: 

HP9300 (conf ig) # show trunk 
Configured trunks: 
Trunk Type Ports 

1 Switch 1/1 1/2 1/3 1/4 2/1 2/2 2/3 2/4 
Operational trunks: 

Trunk Type Ports Duplex Speed Tag Priority 

1 Switch 1/1 1/2 1/3 1/4 2/1 2/2 2/3 2/4 None None No levelO 

Syntax: show trunk 
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The following table describes the information displayed by the show trunk command. 

Table 9.5: CLI Trunk Group Information 



i ms rieiQ... 


uispiays... 


Trunk 


The trunk group number. The software numbers the groups in the 
display to make the display easy to use. 


Type 


The type of trunk group, which can be one of the following: 

Server - The trunk group is connected to a server. 

• Switch - The trunk group is connected to another switch or 
routing switch. 


Ports 


The ports in the trunk group. 


Duplex 


The mode of the port, which can be one of the following: 

• None - The link on the primary trunk port is down. 

• Full - The primary port is running in full-duplex. 

• Half - The primary port is running in half-duplex. 

Note: This field and the following fields apply only to operational trunk 
groups. 


Speed 


The speed set for the port. The value can be one of the following: 

• None - The link on the primary trunk port is down. 

• 10 - The port speed is 10 Mbps. 
100 - The port speed is 100 Mbps. 
IG - The port speed is 1 000 Mbps. 


Tag 


Indicates whether the ports have 802. 1q VLAN tagging. The value 
can be Yes or No. 


Priority 


Indicates the Quality of Service (QoS) priority of the ports. The priority 
can be a value from 0-7. 



USING THE WEB MANAGEMENT INTERFACE 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Trunk link to display a table listing the configured trunk groups. 
This display shows the following information. 



Table 9.6: Web Management Trunk Group Information 



This Field- 


Displays... 


Connection Type 


The type of trunk group, which can be one of the following: 

• Server - The trunk group is connected to a server. 

• Switch - The trunk group is connected to another switch or 
routing switch. 



9-46 



Configuring Basic Features 



Table 9.6: Web Management Trunk Group Information (Continued) 



This Field- 


Displays... 


Port Members 


The ports in the trunk group. 



Configuring IP Multicast Traffic Reduction (HP 6208M-SX only) 

The HP 6208M-SX forwards all IP multicast traffic by default based on the Layer 2 information in the packets. 
Optionally, you can enable HP switches to make forwarding decisions in hardware based on IP multicast group by 
enabling the IP Multicast Traffic Reduction feature. 

When this feature is enabled, the switch examines the IP multicast address in an IP multicast packet and forward 
the packet only on the ports from which the switch has received Group Membership reports for that group. The 
switch sends traffic for other groups out all ports. 

When you enable IP Multicast Traffic Reduction, you also can configure the following features: 

• IGMP mode - When you enable IP Multicast Traffic Reduction, the switch passively listens for IGMP Group 
Membership reports by default. If the multicast domain does not have a router to send IGMP queries to elicit 
these Group Membership reports, you can enable the switch to actively send the IGMP queries. 

• Query interval - The query interval specifies how often the switch sends Group Membership queries. This 
query interval applies only to the active IGMP mode. The default is 60 seconds. You can change the interval 
to a value from 1 0 - 600 seconds. 

• Age interval - The age interval specifies how long an IGMP group can remain in the IGMP group table without 
the switch receiving a Group Membership report for the group. If the age interval expires before the switch 
receives another Group Membership report for the group, the switch removes the entry from the table. The 
default is 140 seconds. You can change the interval to a value from 10 - 1220 seconds. 

• Forwarding policy - The switch forwards all IP multicast traffic by default but you can enable the switch to 
forward IP multicast traffic only for groups for which the switch has received a Group Membership report, and 
drop traffic for all other groups. 

The following sections describe how to configure IP multicast parameters on an HP switch. 

Enabling IP Multicast Traffic Reduction 

By default, the HP 6208M-SX forwards all IP multicast traffic out all ports except the port on which the traffic was 
received. To reduce multicast traffic through the switch, you can enable IP Multicast Traffic Reduction. This 
feature configures the switch to forward multicast traffic only on the ports attached to multicast group members. 
The switch determines the ports that are attached to multicast group members based on entries in the IGMP table. 
Each entry in the table consists of an IP multicast group address and the HP switch ports from which the switch 
has received Group Membership reports for that group. 

By default, the switch broadcasts traffic addressed to an IP multicast group that doesn't have an entry in the IGMP 
table. You can configure the switch to filter out traffic for these groups. See "Filtering Multicast Groups" on 
page 9-50. 

After you enable IP Multicast Traffic Reduction, when the switch receives traffic for an IP multicast group, the 
switch looks in the IGMP table for an entry for that group. If the switch finds an entry, the switch forwards the 
group traffic out the ports listed in the group entry. If the table does not contain an entry for the group, the switch 
broadcasts the traffic. 

The IGMP table is populated by receipt of Group Membership messages from IP multicast group members. Each 
Group Membership message contains the member's IP address and the group address. The HP switch can 
populate the IGMP table using the active or passive IGMP mode, as described in "Changing the IGMP Mode" on 
page 9-48. By default, the switch uses the passive mode. 
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NOTE: When one or more HP 6208M-SX switches are running Layer 2 IP Multicast Traffic reduction, configure 
one of the switches for active IGMP and leave the other switches configured for passive IGMP. However, if the IP 
multicast domain contains a multicast-capable router, configure all the HP switches for passive IGMP and allow 
the router to actively send the IGMP queries. 

To enable IP Multicast Traffic Reduction, use either of the following methods. 
USING THE CLI 

To enable IP Multicast Traffic Reduction, enter the following command: 

HP6208 (conf ig) # ip multicast 
Syntax: [no] ip multicast 

To verify that IP Multicast Traffic Reduction is enabled, enter the following command at any level of the CLI: 

HP6208 (conf ig) # show ip multicast 
IP multicast is enabled - Active 

Syntax: show ip multicast 



NOTE: This command does not display a message if you have enabled IP Multicast Traffic Reduction but you 
have not yet reloaded the software. 

USING THE WEB MANAGEMENT INTERFACE 

To enable IP Multicast Traffic Reduction on an HP 6208M-SX: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select Enable next to IP Multicast. 

3. Click the Apply button to save the change to the device's running-config file. 

4. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration 
change to the startup-config file on the device's flash memory. 

Changing the IGMP Mode 

When you enable IP Multicast Traffic Reduction on the switch, IGMP also is enabled. The switch uses IGMP to 
maintain a table of the Group Membership reports received by the switch. You can use active or passive IGMP 
mode. The default mode is passive. 

• Active - When active IGMP mode is enabled, an HP switch actively sends out IGMP queries to identify IP 
multicast groups on the network and makes entries in the IGMP table based on the Group Membership 
reports received from the network. 



NOTE: Routers in the network generally handle this operation. Use the active IGMP mode only when the 
switch is in a stand-alone switched network with no external IP multicast router attachments. In this case, 
enable the active IGMP mode on only one of the switches and leave the other switches configured for passive 
IGMP mode. 



• Passive - When passive IGMP mode is enabled, the switch listens for IGMP Group Membership reports but 
does not send IGMP queries. The passive mode is sometimes called "IGMP snooping". Use this mode when 
another device in the network is actively sending queries. 

To set change the IGMP mode, use either of the following methods. 



NOTE: You must reload the software after making this configuration change and saving it to the startup-config 
file. 
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USING THE CLI 

To enable active IGMP, enter the following command: 

HP6208 (conf ig) # ip multicast active 
HP6208 (conf ig) # write memory 
HP6208 (conf ig) # end 
HP6208# reload 

Syntax: [no] ip multicast active I passive 

To enable passive IGMP, enter the following command: 

HP6208 (conf ig) # ip multicast passive 
HP6208 (conf ig) # write memory 
HP6208 (conf ig) # end 
HP6208# reload 

USING THE WEB MANAGEMENT INTERFACE 
To change the IGMP mode: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select Active or Passive next to IGMP. 

3. Click the Apply button to save the change to the device's running-config file. 

4. Select the Save link at the bottom of the dialog, then select Yes when prompted to save the configuration 
change to the startup-config file on the device's flash memory. 

Disabling IGMP on Individual Ports 

By default, when you enable IP multicast on the HP 6208M-SX, all ports on the switch are configured for IGMP. If 
you are using active IGMP, all ports can send IGMP queries and receive IGMP reports. If you are using passive 
IGMP, all ports can receive IGMP queries. 

You can disable IGMP on individual ports if you want to block all IP multicast traffic on those ports. When you 
disable IGMP on an individual port, the switch does not forward any multicast traffic out the port, but other ports 
can still send and receive multicast traffic. 

To disable IGMP on a port, use the following CLI method. 

NOTE: You must reload the software after making this configuration change and saving it to the startup-config 
file. 

USING THE CLI 

HP9300 (conf ig) # int e 1/5 

HP93 00 (conf ig- if -1/5) # ip -multicast -disable 
Syntax: [no] ip-multicast-disable 

The command in this example disables IGMP on port 1/5 but does not affect the state of IGMP on other ports. 
USING THE WEB MANAGEMENT INTERFACE 

You cannot disable IGMP on a port using the Web management interface. 
Modifying the Query Interval 

The query interval specifies how often the HP 6208M-SX enabled for active IP Multicast Traffic Reduction sends 
Group Membership queries. 

NOTE: The query interval applies only to the active mode of IP Multicast Traffic reduction. 
To modify the query interval, use the following CLI method. 
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NOTE: You must reload the software after making this configuration change and saving it to the startup-config 
file. 

USING THE CLI 

To modify the query interval, enter a command such as the following: 

HP6208 (conf ig) # ip multicast query- interval 120 
Syntax: [no] ip multicast query-interval <interval> 

The <interval> parameter specifies the interval between queries. You can specify a value from 10 - 600 seconds. 
The default is 60 seconds. 

USING THE WEB MANAGEMENT INTERFACE 

You cannot configure this feature using the Web management interface. 

Modifying the Age Interval 

When the HP 6208M-SX receives a Group Membership report, the switch makes an entry in the IGMP group table 
for the group in the report. The age interval specifies how long the entry can remain in the table without the switch 
receiving another Group Membership report. 

To modify the age interval, use the following CLI method. 

NOTE: You must reload the software after making this configuration change and saving it to the startup-config 
file. 

USING THE CLI 

To modify the age interval, enter a command such as the following: 

HP6208 (conf ig) # ip multicast age-interval 280 
Syntax: [no] ip multicast age-interval <interval> 

The <interval> parameter specifies the interval between queries. You can specify a value from 10 - 1220 
seconds. The default is 140 seconds. 

USING THE WEB MANAGEMENT INTERFACE 

You cannot configure this feature using the Web management interface. 

Filtering Multicast Groups 

By default, the HP 6208M-SX forwards multicast traffic for all valid multicast groups. You can configure the HP 
6208M-SX to filter out all multicast traffic for groups other than the ones for which the switch has received Group 
Membership reports. 

Thus configured, the switch forwards all multicast groups once the switch is started, until the switch receives a 
Group Membership report. Once the switch receives a Group Membership report, the switch drops all multicast 
packets for groups other than the ones for which the switch has received the Group Membership report. Once the 
switch receives a Group Membership report for a given group, the switch forwards traffic for that group instead of 
dropping the traffic. 

To enable IP multicast filtering, use the following CLI method. 

NOTE: You must reload the software after making this configuration change and saving it to the startup-config 
file. 

USING THE CLI 

To enable IP multicast filtering, enter the following command: 

HP6208 (conf ig) # ip multicast filter 
Syntax: [no] ip multicast filter 
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USING THE WEB MANAGEMENT INTERFACE 

You cannot configure this feature using the Web management interface. 

Defining MAC Address Filters 

MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3 
frame. You can filter on the source and destination MAC addresses as well as other information such as the 
EtherType, LLC1 DSAP or SSAP numbers, and a SNAP EtherType. The filters apply to incoming traffic only. 



NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use IP access 
policies. See the "Policies and Filters" appendix in the Advanced Configuration and Management Guide. 



You configure MAC filters globally, then apply them to individual interfaces. To apply MAC filters to an interface, 
you add the filters to that interface's MAC filter group. 

The device takes the action associated with the first matching filter. If the packet does not match any of the filters 
in the access list, the default action is to drop the packet. If you want the system to permit traffic by default, you 
must specifically indicate this by making the last entry in the access list a permit filter. Here is an example: 
mac filter <last-index-number> permit any any 

For routing switches, the MAC filter is applied only to those inbound packets that are to be switched. This includes 
those ports associated with a Virtual Ethernet (VE) interface. However, the filter is not applied to the VE; it is 
applied to the physical port. 



NOTE: Use MAC Layer 2 filters only for switched traffic. If a routing protocol (for example, IP or IPX) is 
configured on an interface, a MAC filter defined on that interface is not applied to inbound packets. If you want to 
filter inbound route traffic, configure a route filter. 



When you create a MAC filter, it takes effect immediately. You do not need to reset the system. However, you do 
need to save the configuration to flash memory to retain the filters across system resets. 

For complete MAC filter examples, see the Command Line Interface Reference. 

To define a MAC filter, use one of the following methods. 

USING THE CLI 

To configure and apply a MAC filter, enter commands such as the following: 

HP9300 (conf ig) # mac filter 1 deny 3565.3475.3676 f fff . 0000 . 0000 any etype eq 806 
HP9300 (conf ig) # mac filter 1024 permit any any 
HP9300 (conf ig) # int e 1/1 

HP9300 (conf ig-if -1/1) # mac filter-group 1 

These commands configure a filter to deny ARP traffic with a source MAC address that begins with "3565" to any 
destination. The second filter permits all traffic that is not denied by another filter. 



NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter. 



Syntax: mac filter <filter-num> permit I deny any I <H.H.H> any I <H.H.H> etype I lie I snap <operator> 
<frame-type> 

The <filter-num> is 1 - 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys 
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions. 

The permit I deny argument determines the action the software takes when a match occurs. 

The <src-mac> <mask> I any parameter specifies the source MAC address. You can enter a specific address 
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f's 
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask 
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes. 
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a 
mask. In this case, the filter matches on all MAC addresses. 
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The <dest-mac> <mask> I any parameter specifies the destination MAC address. The syntax rules are the same 
as those for the <src-mac> <mask> I any parameter. 

Use the etype I lie I snap argument if you want to filter on information beyond the source and destination address. 
The MAC filter allows for you to filter on the following encapsulation types: 

etype (Ethertype) - a two byte field indicating the protocol type of the frame. This can range from 0x0600 to 
OxFFFF. 

lie (IEEE 802.3 LLC1 SSAP and DSAP) - a two byte sequence providing similar function as the EtherType 
but for an IEEE 802.3 frame. 

snap (IEEE 802.3 LLC1 SNAP) - a specific LLC1 type packet. 

To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet 
packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an 
IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are 
0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes. 

For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs 
include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are 
the same. 



NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC 
1042 for a complete listing of SAP numbers. 



SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03. 
Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the 
MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside 
the SNAP header that you want to filter on. 

The eq I gt I It I neq argument specifies the possible operator: eq (equal), gt (greater than), It (less than) and neq 
(not equal). 

The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP 
is 806. 

Syntax: mac filter log-enable 
Enables logging for filtered packets. 
Syntax: mac-filter-group <filter-list> 
Applies MAC filters to a port. 



NOTE: Remember that the filters must be applied as a group. For example, if you want to apply four filters to an 
interface, they must all appear on the same command line. 



USING THE WEB MANAGEMENT INTERFACE 
To define a MAC filter: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Click on the plus sign next to System in the tree view to display the system configuration options. 

4. Select the MAC Filter link. 

• If the device does not have any MAC filters configured, the MAC Filter configuration panel is displayed, 
as shown in the following example. 
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• If a MAC filter is already configured and you are adding a new one, click on the Add MAC Filter link to 
display the MAC Filter configuration panel, as shown in the following example. 

• If you are modifying an existing MAC filter, click on the Modify button to the right of the row describing the 
filter to display the MAC Filter configuration panel, as shown in the following example. 
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-9a- 




Source Mask: 


1" 


-f f- 


ff-OO- 


-00- 


ooj 


Destination Address: 


|ab 


-cd- 


ato-cd- 


-ab- 




Destination Mask: 


1" 


-f f- 


ii-ii- 


-ff- 




Frame Type: 


lie 




zi 






Operator: 


Hi 


ual 


zJ 






Protocol: 


|oooo 


System 


Define 



Add | Modify | Delete | Reset | 
[ Sho wl [Filter Group 1 
[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 

5. Edit the value in the ID field if you want to assign the filter a different ID. The software automatically 
increments this field each time you add a MAC filter. 

6. Select the filter action by selecting Permit or Deny next to Action. 

7. Enter the source MAC address in the Source Address field. Separate the bytes in the address with dashes. 

8. Enter the comparison mask for the source address in the Source Mask field. The mask consists of "f s and 
"0"s or the word "any". 

• An "f" indicates a significant bit. The software checks the indicated bit in each packet's source MAC 
address. 

• A "0" indicates an insignificant bit. The software does not care what value is in the bit position. 

• "any" matches all bits and is equivalent to entering "ff -ff -ff-ff -ff-ff " . 

9. Enter the destination MAC address in the Destination Address field. Separate the bytes in the address with 
dashes. 

10. Enter the comparison mask for the destination address in the Destination Mask field. 

11. Select the frame type from the Frame Type field's pulldown menu. 

12. Select an operator from the Operator field's pulldown menu to filter by protocol type. 

13. Enter a protocol in the Protocol field. 

14. Click the Add button to save the filter to the device's running-config file. The filter is now configured in the 
software but has not yet been applied to a port. 

15. Select the Filter Group link. 

• If the device does not have any MAC filter groups configured, the Filter Group configuration panel is 
displayed, as shown in the following example. 

• If a MAC filter group is already configured and you are adding a new one, click on the Add MAC Filter 
Group link to display the Filter Group configuration panel, as shown in the following example. 
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• If you are modifying an existing MAC filter group, click on the Modify button to the right of the row 
describing the filter group to display the Filter Group configuration panel, as shown in the following 
example. 



Filter Group 



Slot: 


|1 ^JPort:|l zi 


Filter ID List: 


|l 2 3 1024 



Add | Delete | Reset | 
[ShowirMAC Flterl 
[Home IF Site Map lFLogoutirSavel [Frame Enable | Dis able 1 [TELNET1 



16. Select the port (and slot, if applicable) for which you are configuring the filter group. You can configure one 
MAC filter group on each port. 

17. Enter the filter numbers in the Filter ID List field. Separate each filter number from the next one by a single 
space. The software applies the filters in the order you list them, from left to right. When a packet matches a 
filter, the software stops comparing the packet against the filter list and applies the action specified in the 
matching filter. 

18. Click the Add button to save the filter to the device's running-config file. 

19. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Enabling Logging of Packets Denied by MAC Filters 

You can configure the HP device to generate Syslog entries and SNMP traps for packets that are denied by Layer 
2 MAC filters. You can enable logging of denied packets on a global basis or an individual port basis. 

See Example 4 in the "show logging" section in the "Show Commands" chapter of the Command Line Interface 
Reference for a description of how the timer for the entries works. Layer 2 MAC filters and IP access policies use 
the same timer, whereas Access Control Lists (ACLs) use a separate timer, but the timers work the same way. 
Thus, the description of how the ACL timer works also applies to the Layer 2 MAC filters and IP access policies. 

USING THE CLI 

To configure Layer 2 MAC filter logging globally, enter the following CLI commands at the global CONFIG level: 

HP9300 (conf ig) # mac filter log_en 
HP9300 (conf ig) # write memory 
Syntax: [no] mac filter log_en 

To configure Layer 2 MAC filter logging for MAC filters applied to ports 1/1 and 3/3, enter the following CLI 
commands: 

HP9300 (conf ig) # int ethernet 1/1 



HP9300 


Iconf ig- 


if - 


1/1 


# 


mac filter-group 


log en 


HP9300 


Iconf ig- 


if - 


1/1 


# 


int ethernet 3/3 




HP9300 


Iconf ig- 


if - 


3/3 


# 


mac filter-group 


log en 


HP9300 


Iconf ig- 


if - 


3/3 


# 


write memory 





Syntax: [no] mac filter-group log_en 

USING THE WEB MANAGEMENT INTERFACE 

You cannot configure a Layer 2 MAC filter to generate Syslog entries and SNMP traps for denied packets using 
the Web management interface. 
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Defining Broadcast and Multicast Filters 

You can filter Layer 2 broadcast and multicast packets on specific ports. 

• Layer 2 broadcast packets have the value "FFFFFFFFFFFF" (all ones) in the destination MAC address field. 
You can configure broadcast filters for all types of IP packets or for UDP packets. 

• Layer 2 multicast packets have a multicast address in the destination MAC address field. You can configure 
multicast filters to filter on all MAC addresses or a specific multicast address. 

You can configure up to eight of each type of filter. 

To configure a Layer 2 broadcast or multicast filter, you define the filter globally to either filter out all types of 
broadcasts or to filter out only IP UDP broadcasts. After configuring a broadcast or multicast filter, you apply it to 
specific ports. Broadcast and multicast filters apply only to outbound traffic. 

When defining the filter, you can specify a port-based VLAN ID. If a port is a member of more than one VLAN and 
is a tagged port, specifying a VLAN ID causes the filter to be applied only to traffic for the specified VLAN on the 
tagged ports to which you apply the filter. Otherwise, the filter applies to all the VLANs of which the port is a 
member. 

The filters are applied in numerical order, beginning with filter number 1 . As soon as the software finds a matching 
filter for a given packet, the filtering process stops for that packet. For example, if you configure filter 1 to filter all 
broadcast traffic and filter 2 to filter only IP UDP traffic, filter 1 will always be true for any broadcast packet, and 
thus the software will never consult filter 2 for ports that you configure to use filter 1 . 

Configuring a Layer 2 Broadcast Filter 

To configure a broadcast filter, you must have access to the CONFIG level of the CLI. You can configure up to 
eight broadcast filters on a device. 

Syntax: [no] broadcast filter <filter-id> any I ip udp [vlan <vlan-id>] 
Syntax: [no] exclude-ports ethernet <portnum> to <portnum> 
Or 

Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum> 

The exclude-ports command specifies the ports to which the filter applies. 

The <filter-id> specifies the filter number and can a number from 1 - 8. The software applies the filters in 
ascending numerical order. As soon as a match is found, the software takes the action specified by the filter 
(block the broadcast) does not compare the packet against additional broadcast filters. 

You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast 
traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being 
sent on the specified ports but allows other types of broadcast traffic. 

If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to 
all broadcast domains (VLANs) on the device. 

As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter 
you are configuring. You specify the ports to which the filter applies at the filter's configuration level. 



NOTE: This is the same command syntax as that used for configuring port-based VLANs. Use the first 
command for adding a range of ports. Use the second command for adding separate ports (not in a range). You 
also can combine the syntax. For example, you can enter exclude-ports ethernet 1/4 ethernet 2/6 to 2/9. 



Configuration Examples 

To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1/1 , 1/2, and 
1/3, enter the following commands: 

HP9300 (conf ig) # broadcast filter 1 any 

HP9300 (conf ig-bcast-f ilter-id-1) # exclude-ports ethernet 1/1 to 1/3 
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HP93 00 (conf ig-bcast-f ilter- id- 1 ) # write memory 

To configure two filters, one to filter IP UDP traffic on ports 1/1 - 1/4, and the other to filter all broadcast traffic on 
port 4/6, enter the following commands: 

HP9300 (conf ig) # broadcast filter 2 ip udp 

HP9300 (conf ig-bcast-f ilter-id-2) # exclude-ports ethernet 1/1 to 1/4 
HP9300 (conf ig-bcast-f ilter-id-3) # exit 
HP9300 (conf ig) # broadcast filter 3 any 

HP9300 (conf ig-bcast-f ilter-id-3) # exclude-ports ethernet 4/6 
HP9300 (conf ig-bcast-f ilter- id-3 ) # write memory 

To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to 
two ports within the VLAN, enter the following commands: 

HP9300 (conf ig) # broadcast filter 4 ip udp vlan 10 

HP9300 (conf ig-bcast-f ilter-id-4) # exclude-ports eth 1/1 eth 1/3 

HP93 00 (conf ig-bcast-f ilter- id- 1 ) # write memory 

Configuring a Layer 2 Multicast Filter 

To configure a multicast filter, you must have access to the CONFIG level of the CLI. You can configure up to 
eight multicast filters on a device. 

Syntax: [no] multicast filter <filter-id> any I ip udp mac <multicast-address> I any [mask <mask>] 
[vlan <vlan-id>] 

The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter 
command requires the mac <multicast-address> I any parameter, which specifies the multicast address. Enter 
mac any to filter on all multicast addresses. 

Enter mac followed by a specific multicast address to filter only on that multicast address. To filter on a range of 
multicast addresses, use the mask <mask> parameter. For example, to filter on multicast groups 
0100.5e00.5200 - 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs). You can 
leave the mask off if you want the filter to match on all bits in the multicast address. 

Configuration Examples 

To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8, 
enter the following commands: 

HP9300 (conf ig) # multicast filter 1 any 

HP9300 (conf ig-mcast-f ilter-id-1) # exclude-ports ethernet 2/4 to 2/5 ethernet 2/8 
HP93 00 (conf ig-mcast-f ilter- id- 1 ) # write memory 

To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200 - 
0100.5e00.52ff on port 4/8, enter the following commands: 

HP9300 (conf ig) # multicast filter 2 any 0100 . 5e00 . 5200 mask f f f f . f f f f . f f 00 
HP9300 (conf ig-mcast-f ilter-id-2) # exclude-ports ethernet 4/8 
HP93 00 (conf ig-mcast-f ilter- id-2 ) # write memory 

The software calculates the range by combining the mask with the multicast address. In this example, all but the 
last eight bits in the mask are "significant bits" (ones). The last eight bits are zeros and thus match on any value. 
Each T or "0" is four bits. 
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Locking a Port To Restrict Addresses 

Lock-address filters allow you to limit the number of devices that have access to a specific port. Access violations 
are reported as SNMP traps. By default this feature is disabled. A maximum of 2,048 entries can be specified for 
access. The default address count is eight. 

USING THE CLI 

EXAMPLE: 

To enable address locking for port 2 and place a limit of 15 entries: 

HP6208 (conf ig) # lock e 2 addr 15 

Syntax: lock-address ethernet <portnum> [addr-count <num>] 

USING THE WEB MANAGEMENT INTERFACE 

To enable address locking on a port: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Click on the plus sign next to Configure in the tree view to display the configuration options. 

3. Select the Port link to display the Port table. 

4. Click on the Modify button next to the row of information for the port you want to reconfigure. 

5. Select Enable next to Lock Address. 

6. Enter the maximum number of MAC addresses you want the device to learn on the port in the MAC Address 
field. 

7. Click Apply to save the changes to the device's running-config file. 

8. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Enabling or Disabling Routing Protocols 

HP routing switches support the following protocols: 

• IP 

• IPX 

• BGP4 

• OSPF 

• RIP 

• DVMRP 

• PIM 
AppleTalk 

• VRRP 

• VRRPE 

• SRP 

By default, IP routing is enabled on routing switches. All other protocols are disabled, so you must enable them to 
configure and use them. 
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NOTE: The following protocols require a system reset before the protocol will be active on the system: PIM, 
DVMRP, RIP, SRP, and IPX, To reset a system, select the Reload link (Web) or enter the reload command at the 
privileged level of the CLI. 

USING THE CLI 

To enable a protocol on an HP routing switch, enter router at the global CONFIG level, followed by the protocol to 
be enabled. The following example shows how to enable OSPF: 

HP9300 (conf ig) # router ospf 

HP9300 (conf ig) # end 

HP9300# write memory 

HP9300# reload 

Syntax: router appletalk I bgp I dvmrp I ipx I ospf I pirn I rip I srp I vrrp I vrrpe 
USING THE WEB MANAGEMENT INTERFACE 
To enable protocols on a routing switch: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Enable option next to the protocol(s) to be enabled. 

NOTE: If you are enabling BGP4, you must also specify the local AS number in the Local AS field. 

NOTE: Do not enable both SRP and VRRP. Hewlett-Packard recommends that you use only one of these 
router redundancy protocols on a routing switch. 

3. Click Apply to save the changes to the device's running-config file. 

4. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

NOTE: You also can access the dialog for saving configuration changes by clicking on Command in the tree 
view, then clicking on Save to Flash . 

If you enable PIM, DVMRP, RIP, SRP, or IPX, you must reload the software to place the change into effect. 

1 . Click on the plus sign next to Command in the tree view to list the command options. 

2. Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. 

Displaying and Modifying System Parameter Default Settings 

HP devices have default table sizes for the following parameters. The table sizes determine the maximum 
number of entries the tables can hold. You can adjust individual table sizes to accommodate your configuration 
needs. 

• MAC address entries 

Layer 2 Port VLANs supported on a system 
Layer 3 Protocol VLANs supported on a system 
Layer 4 sessions supported 
IP cache size 

• ARP entries 
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• IP routes 

• IP route filters 

• IP sub-nets per port and per device 

• Static routes 

• IGMP 
DVMRP routes 
IPX/SAP entries 
IPX/RIP entries 

• IPX/SAP filters 

• IPX/RIP filters 

• IPX forwarding filters 
AppleTalk routes 
AppleTalk zones 

The tables you can configure and the defaults and valid ranges for each table differ depending on the HP device 
you are configuring. 

NOTE: If you increase the number of sub-net addresses you can configure on each port to a higher amount, you 
might also need to increase the total number of sub-nets that you can configure on the device. 

To display and configure the adjustable tables on a device, use one of the following methods. 

NOTE: Changing the table size for a parameter reconfigures the device's memory. Whenever you reconfigure 
the memory, you must save the change to the startup-config file, then reload the software to place the change into 
effect. 

USING THE CLI 

To display the configurable tables and their defaults and maximum values, enter the following command at any 
level of the CLI: 

HP9300# show default values 



sys log buffers: 50 

ip arp age: 10 min 
ip addr per intf :24 



mac age time: 300 sec 
bootp relay max hops : 4 



when multicast enabled : 

igmp group memb.:140 sec igmp query:60 sec 



when ospf enabled : 

ospf dead:40 sec 

ospf transit delay :1 sec 

when bgp enabled : 
bgp local pref.:100 
bgp metric: 10 
bgp ext. distance: 20 



ospf hello: 10 sec 



bgp keep alive: 60 sec 

bgp local as : 1 

bgp int. distance: 2 00 



telnet sessions: 5 
ip ttl:64 hops 



ospf retrans:5 sec 



bgp hold: 180 sec 
bgp cluster id:0 
bgp local distance: 200 



System Parameters Default Maximum Current 

ip-arp 8000 64000 8000 

ip-static-arp 1024 2048 1024 
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at alk- route 


512 


1536 


512 


at alk- zone -port 


64 


255 


64 


at alk- zone - sys 


255 


1024 


255 


dvmrp 


2048 


32000 


2048 


icrmt) 


256 


1024 


256 


ip-cache 


128000 


256000 


128000 


ip- filter -port 


512 


4096 


512 


ip-filter-sys 


1024 


8192 


1024 


ipx- forward- filter 


256 


1024 


256 


ipx- rip - entry 


3072 


32728 


3072 


ipx- rip-filter 


256 


1024 


256 


ipx - sap - ent ry 


6144 


32768 


6144 


ipx- sap -filter 


256 


1024 


256 


13 -vlan 


32 


2048 


32 


ip - qos - sess ion 


2048 


32000 


2048 


14-real- server 


1024 


2048 


1024 


14 -virtual - server 


256 


512 


256 


14 - server -port 


2048 


4096 


2048 


mac 


8000 


64000 


8000 


ip- route 


128000 


200000 


128000 


ip-static- route 


512 


2048 


512 


vlan 


16 


2048 


16 




~k 9 
J z 


12 8 




mac -filter-port 


32 


512 


32 


mac -filter- sys 


64 


1024 


64 


ip- subnet -port 


24 


128 


24 


session-limit 


131072 


500000 


131072 


view 


10 


65535 


10 


virtual- interface 


255 


2048 


255 



Information for the configurable tables appears under the columns that are shown in bold type in this example. To 
simplify configuration, the command parameter you enter to configure the table is used for the table name. For 
example, to increase the capacity of the IP route table, enter the following commands: 

HP9300 (conf ig) # system-max ip-route 120000 

HP9300 (conf ig) # write memory 

HP9300 (conf ig) # exit 

HP9300# reload 



NOTE: If you accidentally enter a value that is not within the valid range of values, the CLI will display the valid 
range for you. 



To increase the number of IP sub-net interfaces you can configure on each port on a routing switch from 24 to 64, 
then increase the total number of IP interfaces you can configure on the device from 256 to 512, enter the 
following commands: 

HP9300 (conf ig) # system-max subnet -per- interface 64 
HP9300 (conf ig) # write memory 
HP9300 (conf ig) # exit 
HP9300# reload 

Syntax: system-max subnet-per-interface <num> 

The <num> parameter specifies the maximum number of sub-net addresses per port and can be from 1 - 64. The 
default is 24. 

Syntax: system-max subnet-per-system <num> 
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The <num> parameter specifies the maximum number of sub-net addresses for the entire device and can be from 
1-512. The default is 256. 

HP9300 (conf ig) # system-max subnet-per-system 512 
HP9300 (conf ig) # write memory 
HP9300 (conf ig) # exit 
HP9300# reload 

USING THE WEB MANAGEMENT INTERFACE 

To modify a table size using the Web management interface: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Max-Parameter link to display the Configure System Parameter Maximum Value table. This table 
lists the settings and valid ranges for all the configurable table sizes on the device. 

3. Click the Modify button next to the row for the table you want to change. 

4. Enter the new value for the table size. The value you enter specifies the maximum number of entries the 
table can hold. 

5. Click Apply to save the changes to the device's running-config file. 

6. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

7. Click on the plus sign next to Command in the tree view to list the command options. 

8. Select the Reload link and select Yes when the Web management interface asks you whether you really want 
to reload the software. Changes to table sizes do not take effect until you reload the software. 

Assigning a Mirror Port and Monitor Ports 

You can monitor traffic on HP ports by configuring another port to "mirror" the traffic on the ports you want to 
monitor. By attaching a protocol analyzer to the mirror port, you can observe the traffic on the monitored ports. 

You can monitor input traffic, output traffic, or both. Any port can operate as a mirror port. 

Monitoring traffic on a port is a two-step process: 

• Enable a port to act as the mirror port. 

• Identify the ports on which the traffic is to be monitored (the monitor ports). 
You can select multiple monitor ports but only one mirror port. 

NOTE: A Chassis device can mirror only the in (receive) traffic across the backplane. Thus, if the mirror and 
monitor ports are on different slots, only the in traffic appears on the mirror port. 

USING THE CLI 
EXAMPLE: 

Suppose you want to diagnose the in and out traffic on port 3 on a module in slot 4 of an HP 9304M or HP 9308M, 
and use port 1 in slot 4 as the mirror port. To do so, enter the following: 

HP9300 (conf ig) # mirror-port e 4/1 

HP9300 (conf ig) # interface e 4/3 

HP9300 (conf ig-if -4/3) # monitor both 

Syntax: mirror-port ethernet <portnum> 
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NOTE: To monitor just the in traffic, enter "in" instead of "both" in the above command. To monitor only the out 
traffic, enter "out" instead of "both" in the above command. 

USING THE WEB MANAGEMENT INTERFACE 
EXAMPLE: 

Suppose you want to diagnose the in and out on traffic on port 3 on a module in slot 4 of an HP 9304M or HP 
9308M using port 1 in slot 4. To do so: 

1 . Log on to the device using a valid user name and password for read-write access. The System configuration 
panel is displayed. 

2. Select the Advance link to display the advanced system configuration panel. 

3. Select the slot (if applicable) and port from the corresponding pulldown menus next to Mirror Slot. In this 
example, select slot 4 and port 1 . 

4. Click Apply to save the changes to the device's running-config file. 

5. Click on the plus sign next to Configure in the tree view to display the configuration options. 

6. Select the Port link to display the Port table. 

7. Click the Modify button next to the port you want to monitor. In this example, select port 3 on the module in 
slot 4 (4/3). 

8. Select the traffic direction you want to monitor. For this example, select In & Out. 

9. Click Apply to save the changes to the device's running-config file. 

10. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change 
to the startup-config file on the device's flash memory. 

Displaying the Current Mirror and Monitor Port Configuration 

You can display the current port mirroring and monitoring configuration using the following CLI method. 
USING THE CLI 

To display the current mirroring and monitoring configuration, enter the following command at any level of the CLI: 

HP9300 (conf ig) # show monitor 

Mirror Interface: ethernet 4/1 

Monitored Interfaces : 

Both Input Output 

ethernet 4/3 
Syntax: show monitor 

This example shows the monitoring and mirroring configuration set up by the commands in the example in the 
previous section. Port 4/1 is the mirror interface, to which the software copies ("mirrors") the traffic on port 4/3. In 
this case, both directions of traffic on the monitored port are mirrored to port 4/1 . 

If only the incoming traffic is mirrored, the monitored interface is listed under Input. If only the outbound traffic is 
mirrored, the monitored interface is listed under Output. 

USING THE WEB MANAGEMENT INTERFACE 

You cannot display this information using the Web management interface. 
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This appendix lists the hardware specifications for the HP 9304M, HP 9308M, and HP 6208M-SX routing switches 
and the HP 6208M-SX switch. 

Electrical Specifications 

Table A.1 : Electrical specifications 



Device 


Input Voltage Range 


Current Rating 


Line Frequency 


HP 6208M-SX 
HP 6308M-SX 


100-240 VAC 
Autoranging 


5-2.5 Amps 


50 - 60 Hz 


HP 9304M 
HP 9308M 


100-120/200-240 
VAC 

Autoranging 


HP 9304M: 8/4 Amps 
HP9308M: 16/8 Amps 


50 - 60 Hz 



Physical Specifications 

Table A.2: Physical dimensions 



Depth 


Width 


Length (Height) 


Weight 


15" 


17.5" 


23" 


69.1 lbs. fully 
populated 


15" 


17.5" 


9" 


47.7 lbs. fully 
populated 


16.75" 


17.5" 


2.75" 


18-22 lbs. 



Operating Environment 

Operating Temperature: 32° - 1 04° F, 0° - 40° C 
• Relative Humidity: 5% - 90%, non-condensing 
Operating Altitude: 0 - 1 0,000 feet 
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Storage Environment 

Storage Temperature: -40° - 1 58° F, -40° - 70° C 

• Storage Humidity: 95% maximum, non-condensing 
Storage Altitude: 1 0,000 feet (3,000 meter) maximum 

Electromagnetic Emissions 

FCC Class A, Part 1 5, Subpart B 

• EN 55022A Class A 

• VCCI Class A 

• EN50082-1 

Safety Agency Approvals 

• UL1950 

• CSA-C22.2 No. 950 93 

• TUV EN 60950, EN 60825 

Laser 

• Class 1 Laser Product 

• Laser Klasse 1 

Complies with I EC 825-2: 1 993 
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This appendix lists the following information: 

• Standards compliance 

• RFC support 

• Internet drafts support 

Standards Compliance 

The HP 9304M, HP 9308M, and HP 6208M-SX routing switches and the HP 6208M-SX switch support the 
following standards. 

NOTE: The routing protocol standards apply only to the routing switches. 

IEEE 802.3, 10BaseT 

• IEEE 802.3u, 100BaseTX, 100BaseFX 

• 802.3z 1000BaseSX, 1000BaseLX 
802. 3x Flow Control 

802.1 p/q VLAN Tagging 
802. 1d Bridging 

• 802.3 Ethernet-like MIB 
Repeater MIB 

• Ethernet Interface MIB 

• SNMP V1 and V2 

• SNMP MIB II 
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RFC Support 

The following table lists the RFCs supported by the HP 9304M, HP 9308M, and HP 6208M-SX routing switches 
and the HP 6208M-SX switch. 



NOTE: Some devices support only a subset of the RFCs. For example, the HP 6208M-SX switch does not 
support router-specific RFCs. 



Table B.1: RFC Support 


RFC Number 


Protocol or Standard 


768 


User Datagram Protocol (UDP) 


783 


Trivial File Transfer Protocol (TFTP) 


791 


Internet Protocol (IP) 


792 


Internet Control Message Protocol (ICMP) 


793 


Transmission Control Protocol (TCP) 


826 


Ethernet Address Resolution Protocol (ARP) 


854, 855, and 
857 


Telnet 


894 


IP over Ethernet frames 


903 


Reverse ARP (RARP) 


906 


Bootstrap loading using TFTP 


919 


Broadcast Internet datagrams 


920 


Domain requirements 


922 


Broadcast Internet datagrams in the presence of subnets 


950 


Internet standard subnetting procedure 


951 


Bootstrap Protocol (BootP) 


1027 


Proxy ARP 


1042 


IP datagrams over IEEE 802 networks (for Ethernet) 


1058 


Route Information Protocol (RIP) version 1 


1075 


IP Multicast 


1112 


Internet Gateway Management Protocol (IGMP) 


1122 and 
1123 


Requirements for Internet hosts (routers) 


1141 


Incremental updating of the Internet checksum 


1155 


Structure and Identification of Management Information (SMI) 


1157 


Simple Network Management Protocol (SNMP) version 1 


1212 


Concise MIB Definitions 
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Table B.1 : RFC Support (Continued) 



RFC Number 


Protocol or Standard 


1213 


MIR II npfinitinnc; 

IVIILJ II L/CI 1 1 1 1 IIU 1 Io 


1215 


oi'iivir yoiidio ii ci|»/o 


1256 


IOMP Routpr Di^rnvprv Protornl HRDP^ 

1 W 1 V 1 1 1 1UUICI L/IOuuVCI y 1 1 UlUuUI III 1 1 ' 1 1 


1267 


RnrHpr fnatpwav Protocol \/prc:ion A /RfnPA^ MIR 
uui uci vjciic vvciy r i u luuu i vci oiui i *+ i uvj \ 1 1 ivi i u 


1340 


Assigned numbers (where applicable) 


1354 


IP Forwarding Table MIB 


1398 


Ethernet-Like MIB 


1493 


Bridge MIB (excluding filtering of objects) 


1541 and 
1542 


Dynamic Host Configuration Protocol (DHCP) 


1583 


Onpn Shnrtp^t Path First COSPF1 

wpci I wi ivji lool r dLi ii ii ol ^v-*wn 1 f 


1 JO / 


O^PF Not-^o-^tuhhv Arpa^ (NR^A^ 
worn inui o vj oiuuuy fAicao ^iMoonoj 


1 uto 


Fthprnpt 1 ikp MIR /inrornoratpci RFH 19Qft^ 
i ii i c i 1 1 ci i_i r\c i vi i i_j ^ 1 1 iuu i yJ'J < ex. l co ni w i <j<po ) 


1723 


RIP x/prQinn 9 

Ill 1 VCl OIUI 1 £_ 


1745 


O^PF IntpraotionQ 
wo i i unci li \j\ io 


1757 


Rpmntp Mnnitnrinn (RMOKh nroiin<; 1 9 ^ Q 

1 ICI 1 IVJ L 1 VI l_/l II IU 1 1 1 iy II 11 VI v./ 1 M 1 Ul UUUO 1 , L— , vJj v/ 


1771 


Rnrrlpr f-i?itpwa\/ Protocol ^Rf-lP^ vpr^ion A 

UUI UCI VVCl y 1 1 UIUUUI 1 1 > \~A 1 1 VCl OIUI 1 i 


1812 


Rpni lirpmpntQ for IP wprQion A roiitprQ 
ricL] u 1 1 c 1 1 1 ci i io i r v c i o i wi i t - iuu ic i o 
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R(^P Rni itp Rpflpotion 


1977 


R(^P nnmmi initipc; 

1 ' \-A 1 w Wl 1 1 1 1 1 U 1 1 1 UCO 


1997 


Rf^P nnmmi initipc; Attrihntpc; 

1 ' \-A 1 w Wl 1 1 1 1 1 U 1 1 1 IICO r \ L L 1 1 YJ\A ICO 




IP Ti innplinn 

1 1 1 U [ II ICIII ILj 


2030 


Simple Network Time Protocol (SNTP) version 4 


2068 


lit — rn> 
H 1 1 P 


2138 


Remote Authentication Dial In User berver (RAUlUo) 


O -1 "70 


Upen shortest rath hirst (uorh) 


2328 


OSPF Version 2 

Note: AS External LSA reduction is supported. 


2338 


Virtual Router Redundancy Protocol (VRRP) 


2362 


IP Multicast PIM Sparse 
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Table B.1: RFC Support (Continued) 


RFC Number 


Protocol or Standard 


OQQC 


i ur iviuo oignaiure upuon ^Tor Dor4j 




Rf^P Rm ito Plan nQmnoninn 

Dur nuuit; ridp L/diiipciiiMy 


2453 


Route Information Protocol (RIP) version 2 


2796 


BGP Route Reflection 


2842 


BGP Capability Advertisement 


2858 


BGP Multi-protocol Extension 



Internet Drafts 

In addition to the RFCs listed in "RFC Support" on page B-2, the routing switches support the following Internet 
drafts: 

BGP-DRAFT-ROUTE-REFRESH-1 TXT, which describes the dynamic route refresh capability 
IETF-IDMR-DVMRP version 3.05, obsoletes RFC 1075 
IETF-IDMR-PIM-DM 05 (version 1 format) 
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Index 



Numerics 

10/100 

mode 9-26 
1000BaseLx8-10 
1000BaseSx 8-10 
1000BaseT 8-10 
100BaseFX 8-10 
100BaseFX Ports 8-10 
100BaseTX 8-10 
10BaseT 8-10 

802. 3x Gigabit negotiation 9-28 
9304M Routing Switch 2-8 
9308M Routing Switch 2-8 



AC power 8-11 

connector 8-8 
Access 

CLI 2-21 

augmenting privilege level 3-9 
local user account 3-1 1 
lost password 2-13, 3-10 
RADIUS 3-31 
SNMP 

configuring 3-13 
IP ACL 3-4 
restricting 3-5 
TACACS/TACACS+ 3-16 
Telnet 

setting password 3-8 
Web management interface 3-13, 7-8 
disabling 3-7 
Access levels 2-12 
ACL 

SNMP access 3-4 
Telnet access 3-4 
Web management 3-4 
Address 
IP 2-13 



Age 

MAC 9-30 
Age interval 

IP multicast 

Layer 2 9-47 
Agency approvals A-2 
Air Flow 2-15 
Air Flow, Caution 2-3 
Altitude A-1 

Ambient temperature 2-3 
Ampere Ratings 2-3 
Architecture 8-5 
Assigning 

IP address 2-13 

password 2-12 
Authentication-method list 3-44 

B 

Bridging 

architecture 8-6 
Broadcast 

filter 9-55 

limiting 9-20 
Buffer 

port 8-8 

Syslog 9-16, 9-18 

C 

Cable 

length 2-18 

Straight-through 2-9 

straight-through 2-20 
Caution, Air Flow 2-3 
Caution, Circuit Overload 2-3 
Caution, grounding 2-3 
Caution, Power Cord 2-3 
Caution, Power Sockets 2-17 
Caution, Powering On 2-17 
Caution, Redundant Power Supply 2-2, 2-7 
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Chassis 

architecture 8-5 

hardware overview 8-1 

module 8-1 

name 9-3 

poll interval 5-19 

replacing power supply 2-6 

slot and port numbers 8-8 

specifications A-1 

swapping modules 2-4 
CLI 7-7 

access 2-21 

access levels 2-12 

attaching serial cable 2-9 

command completion 2-22 

CONFIG Level 2-12 

line editing commands 2-22 

local user account 3-11 

logging on 2-21 

privilege level 

augmenting 3-9 

Privileged EXEC level 2-12 

scroll control 2-22 

securing access 2-12 

User EXEC level 2-12 
Clock 9-12 
Code 

downloading 6-1 

image name 7-1 

uploading 6-1 

version 7-2 
Command completion 

CLI 2-22 
Community string 

configuring 3-13 

encryption 3-14, 9-5 
CONFIG Level 2-12 
Configuration 

displaying 6-5 

erasing 6-9 

saving 6-5, 6-9 
Configuring 

security 3-1 
Connection, Serial 2-1 
Connections 2-19 
Connector 

console 2-9 

module 2-18 

power 8-8 
Console 

attaching 2-9 
Console Attachment 2-9 
Console Settings 2-9 
Contact information 9-3 
Conventions 

manual 1-1 
Cooling 2-4 
Ctrl-A 2-22 
Ctrl-B 2-22 



Ctrl-C 2-22 
Ctrl-D 2-22 
Ctrl-E 2-23 
Ctrl-F 2-23 
Ctrl-K 2-23 
Ctrl-L 2-23 
Ctrl-N 2-23 
Ctrl-P 2-23 
Ctrl-R 2-23 
Ctrl-U 2-23 
Ctrl-W 2-23 
Ctrl-X 2-23 
Ctrl-Z 2-23 
Current rating A-1 

D 

Default 

system 7-6, 9-58 
Default gateway 2-14 
Desktop Installation 2-15 
Device location 9-3 
Dimensions A-1 
DNS Resolver 7-11 
Downloading software 6-1 
Duplex mode 9-26 
Dynamic configuration 7-10 

E 

Electrical specifications A-1 
Electromagnetic emissions A-2 
EMC Regulatory Statements xi 
Emissions A-2 
Enable password 

assigning 2-12 
Encryption 

password 3-1 1 

SNMP community string 3-14, 9-5 
Event 

Syslog 9-14 

F 

Facility 

Syslog 9-16 
Fan 8-8 
Features 7-3 
Fiber 

cabling 2-20 
File synchronization 

redundant management module 5-10 
Filter 

broadcast 9-55 

MAC address 9-51 
lock 9-57 

multicast 9-47, 9-55 
Fixed-port 

architecture 8-6 

port numbers 8-8 
Fixed-port device 
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overview 8-5 

specifications A-1 
Flash code 

downloading 6-1 

image name 7-1 

uploading 6-1 

version 7-2 
Flow control 

disabling 9-27 

G 

Gateway 

default 2-14 
Getting Help 1-3 
Gigabit 

negotiation 9-19, 9-28 
Global CONFIG Level 2-12 
Grounding ii, 2-3 

H 

Half-duplex mode 9-26 
Handles, Warning 2-1, 2-3 
Hardware 

architecture 8-5 

fan 8-8 

installation 2-1 

LEDs 8-9 

overview 8-1 

port 8-10 

port buffer 8-8 

power 8-1 1 

reset button 8-12 

specifications A-1 

Temperature sensor 8-12 

Help 

getting 1 -3 
Host name 9-3 
Hot Swap 2-4 

modules 2-5 

redundant power supply 2-6 
Humidity A-1 

I 

IEEE tagging 9-33 
IGMP 

Layer 2 9-47 

query 

disabling 9-49 
IGMP snooping 9-48 
Image 

downloading 6-1 

name 7-1 

uploading 6-1 

version 7-2 
Installation 

desktop 2-1 5 

hardware 2-1 

location and clearance 2-4 



precautions 2-3 
rack 

chassis 2-15 
fixed-port device 2-16 
summary of 2-2 
Installing a System 2-2 
Interface 

number 8-8 
Internet drafts supported B-4 
Internet Explorer version required 2-25 
IP 

routing architecture 8-6 
IP ACL 

securing access 3-3 

SNMP access 3-4 

Telnet access 3-4 

Web management 3-4 
IP Address 

assigning 2-1 
IP address 

assigning 2-13 

security 3-5 
IP multicast 

traffic reduction 9-47 

IPX 

routing architecture 8-6 



LAN Connections 2-19 
Laser specifications A-2 
Lasers 

IEC compliance x 
Layer 2 

age time 9-30 

architecture 8-6 

configuring basic parameters 9-29 

disabling 9-29 

MAC address filter 9-51 

MAC switching 7-15 
Layer 3 

architecture 8-6 
Layer 4 

Server Load Balancing 7-24 
LED Behavior 2-9 
LEDs 8-9 

redundant management module 5-7 
Lifting, warning 2-1 
Line editing commands 2-22 
Line frequency A-1 
Load sharing 

trunk group 9-38 
Local user account 3-1 1 
Lock 

MAC address 9-57 
Logging on 
CLI 2-21 

Web management interface 2-23 
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M 

MAC 

address filter 9-51 

address lock 9-57 

static entries 9-31 

switching 7-15 
Management module 

redundant 5-1 
Manual nomenclature 1-1 
Mask, Network 2-1 
Memory 

port buffer 8-8 
Message 

TFTP error 6-8 
Mirror 

port 9-61 
Mode 

port 9-26 
Module 8-1 

connectors 2-18 

installing 2-4 

management 
redundant 5-1 

redundant management 5-1 
configuring 5-3 
default active module 5-5 
file synchronization 5-10 
status 5-7 

removing 2-4 
Monitor 

port 9-61 
Mounting 

air flow 2-15 

warning 2-15 
Multicast 

filter 9-47, 9-55 

Layer 2 9-47 

age interval 9-47 
query interval 9-47 

limiting 9-20 

traffic reduction 9-47 
Multi-netting 7-19 

N 

Name 

port 9-24 

software image file 7-1 
Negotiation 

Gigabit 9-19 
Netscape version required 2-25 
Network 

connection 2-18 
network connections 

troubleshooting 2-20 
Network Mask 2-1 

0 

Operating environment A-1 



Operating temperature 2-3 



Package contents 2-1 
Password 2-12, 3-1 

assigning 2-12 

encryption 3-1 1 

lost 

accessing the device 2-13, 3-10 
Telnet 3-1 , 3-8 
Password, Lost 2-13 
PC 

attaching 2-9 
Physical dimensions A-1 
Pin assignments 

serial port 2-9 
Ping 7-13 
Pinouts 

serial port 2-1 1 
Poll interval 5-19 
Port 

buffer 8-8 

configuring basic parameters 9-23 
disabling 9-26 
flow control 9-27 
hardware 8-10 
IEEE tagging 9-33 
MAC address lock 9-57 
mirroring 9-61 
mode 9-26 
monitoring 9-61 
name 9-24 
number 8-8 
port-based VLAN 9-32 
speed 9-25 
trunk group 9-34 
displaying 9-45 

Power 

AC 8-1 1 

connector 8-8 
Power Cord 2-9 

caution 2-3, 2-17 
Power Supply 

See Redundant Power Supply. 2-7 
Power supply 

replacing 2-6 
Precautions 

installation 2-3 
Privilege level 

augmenting 3-9 
Privileged EXEC Level 2-12 
Privileged EXEC level 2-12 
Prompt 

customizing 2-11 
Proxy problem 

Web management access 2-23 



Index - 4 



Q 

Query 
IGMP 

disabling 9-49 
Query interval 
IP multicast 

Layer 2 9-47 

R 

Rack installation 

chassis 2-15 

fixed-port device 2-16 
Rack Mounting 2-3, 2-16 

warning 2-3, 2-15 
Rack, Loading 2-3 
RADIUS 3-1, 3-31 
Read-only community string 7-8 
Read-write community string 7-8 

no default 3-13 
Redundant link 

trunk group 9-34 
Redundant management module 5-1 

configuring 5-3 

default active module 5-5 

file synchronization 5-10 

status 5-7 
Redundant power 8-12 
Redundant Power Supply 

Caution 2-2 

installing 2-6 

removing 2-7 
Regulatory Statements xi 
Reload 7-10 

scheduled 6-9 
Reset button 8-12 
RFCs supported B-2 
RMON 7-12 
Routing 

architecture 8-6 

RPS 

See Redundant Power Supply 2-2 
Running-config file 6-5 

S 

Scheduled reload 6-9 
Scroll control 2-22 
Secure Shell 4-1 
Security 3-1 

assigning Enable password 2-12 

Authentication-method list 3-44 

IP ACL 3-3 

IP address 3-5 

local user account 3-11 

MAC address lock 9-57 

RADIUS 3-31 

Secure Shell 4-1 

SNMP 

IP ACL 3-4 



TACACS/TACACS+ 3-16 
Telnet 

IP ACL 3-4 
Web management interface 
IP ACL 3-4 
Serial cable 2-9 
Serial Connection 2-1 
Serial Port Pinouts 2-1 1 
Service ii 

Settings, Terminal 2-9 
Shock Hazard, Warning 2-17 
Slot Cover Plates, Air Flow 2-3 
Slot number 8-8 
SNMP 

community string 3-1 
configuring 3-13 
encryption 3-14, 9-5 
read-only 7-8 
read-write 7-8 
configuring 9-5 
security 

IP ACL 3-4 
Syslog 7-12, 9-14 
trap 

disabling 9-7 

trap receiver 9-5 

trap source 9-6 
SNMPv2c 7-12 
SNTP 7-11 

server 9-10 
Soft reboot 7-10 
Software 

defaults 7-6 

downloading 6-1 

features 7-3 

image name 7-1 

overview 7-1 

RFC support B-2 

scheduled reload 6-9 

specifications B-1 

standards support B-1 

synchronization 

redundant management module 5-10 

uploading 6-1 

version 7-2 
Specifications 

hardware A-1 

software B-1 
Speed 

port 9-25 
SSH 4-1 

Standards supported B-1 
Startup-config file 

erasing 6-9 

loading 6-5 

saving 6-5, 6-9 
State agency approvals A-2 
Static MAC entries 9-31 
Storage environment A-2 
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Super User 2-1 2 
Swapping modules 2-4 
Switch 

age time 9-30 

architecture 8-6 

configuring basic Layer 2 parameters 9-29 

disabling 9-29 

Layer 2 7-15 
Switchover 

redundant management module 5-2 

Syslog messages 5-9 
Syslog 7-12, 9-14 

buffer 9-16, 9-18 

changing facility 9-16 

disabling message level 9-15 

redundant management switchover 5-9 

server 9-15 

temperature 5-18 
System 

configuring basic parameters 9-3 
defaults 9-58 
installation 2-2 
name 9-3 

scheduled reload 6-9 
time 7-11 
unpacking 2-1 



TACACS/TACACS+ 3-1, 3-16 
Telnet 7-1 1 

local user account 3-1 1 

password 3-8 

security 

IP ACL 3-4 
Temperature 2-3, A-1 

displaying 5-16 

poll interval 5-19 

sensor 5-2, 5-16, 8-12 

changing warning and shutdown levels 5-18 

Syslog 5-18 
Terminal Settings 2-9 
TFTP 7-1 1 

error message 6-8 

software 6-1 
Time 7-1 1 

SNTP server 9-10 

system clock 9-12 
Traceroute 7-13 
Trap 7-12 

disabling 9-7 

receiver 9-5 

source 9-6 

Syslog 9-14 
Troubleshooting network connections 2-20 
Trunk group 9-34 

displaying 9-45 

load sharing 9-38 



U 

Unknown-unicast rate 

limiting 9-20 
Unpacking a System 2-1 
Uploading software 6-1 
User account 3-1 
User EXEC level 2-12 
UTP 

cabling 2-20 



Version 

software image file 7-2 
VLAN 

IEEE tagging 9-33 

port-based 9-32 
Voltage specifications A-1 

W 

Waldo 

where is 3-12 
Warning 

handles 2-1, 2-3 

rack or cabinet secured 2-3 

system placement in rack 2-15 

weight 2-1, 2-3 
Warning, Electrical Shock Hazard, Warning 2-17 
Warranty ii 

Web management interface 7-7 

access 3-13 

disabling 3-7 

local user account 3-1 1 

logging on 2-23 

password 2-23 

proxy problem 2-23 

security 

IP ACL 3-4 

user name 2-23 

using 2-24 
Weight 

warning 2-3, 2-15, 2-17 
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